avcodec/aic: Fix vlc value checks

Fixes out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2013-05-22 21:29:45 +0200
committer: Michael Niedermayer <michaelni@gmx.at> 2013-05-22 21:30:28 +0200
commit: 657875b145c788d29b8e3bf38f79264e657932ae (patch)
tree: ab33a79e823d9960f0c1d3c0dca7aab675f16565
parent: 30df9789a9745d8e4b1afc10d1a983bfc8816eb9 (diff)
download: ffmpeg-657875b145c788d29b8e3bf38f79264e657932ae.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/libavcodec/aic.c b/libavcodec/aic.c
index bf8a0e4de1..5a7d6c74b1 100644
--- a/libavcodec/aic.c
+++ b/libavcodec/aic.c
@@ -201,7 +201,8 @@ static int aic_decode_coeffs(GetBitContext *gb, int16_t *dst,
     int has_skips, coeff_type, coeff_bits, skip_type, skip_bits;
     const int num_coeffs = aic_num_band_coeffs[band];
     const uint8_t *scan = aic_scan[band];
-    int mb, idx, val;
+    int mb, idx;
+    unsigned val;
 
     has_skips  = get_bits1(gb);
     coeff_type = get_bits1(gb);
@@ -215,6 +216,8 @@ static int aic_decode_coeffs(GetBitContext *gb, int16_t *dst,
             idx = -1;
             do {
                 GET_CODE(val, skip_type, skip_bits);
+                if (val >= 0x10000)
+                    return AVERROR_INVALIDDATA;
                 idx += val + 1;
                 if (idx >= num_coeffs)
                     break;
author	Michael Niedermayer <michaelni@gmx.at>	2013-05-22 21:29:45 +0200
committer	Michael Niedermayer <michaelni@gmx.at>	2013-05-22 21:30:28 +0200
commit	657875b145c788d29b8e3bf38f79264e657932ae (patch)
tree	ab33a79e823d9960f0c1d3c0dca7aab675f16565
parent	30df9789a9745d8e4b1afc10d1a983bfc8816eb9 (diff)
download	ffmpeg-657875b145c788d29b8e3bf38f79264e657932ae.tar.gz