diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2019-08-15 18:47:54 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2019-09-04 20:26:35 +0200 |
| commit | 7edcd88a3f74182bdc28dc29bd903c6c22c3c9d8 (patch) | |
| tree | 5d8f5783f07057583c15d6f10013ccb1724c2679 | |
| parent | 948e655d133a1f2d5ca7cdcda6f570fcad0fbcc7 (diff) | |
| download | ffmpeg-7edcd88a3f74182bdc28dc29bd903c6c22c3c9d8.tar.gz | |
avcodec/vc1_block: Check for double escapes
Fixes: out of array read
Fixes: 16331/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3IMAGE_fuzzer-5672735195267072
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6962fd586e1a9a98828866dcfb4114af30c8c756)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
| -rw-r--r-- | libavcodec/vc1_block.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index 94184b0873..775e3c516b 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -526,7 +526,7 @@ static int vc1_decode_ac_coeff(VC1Context *v, int *last, int *skip, int escape = decode210(gb); if (escape != 2) { index = get_vlc2(gb, ff_vc1_ac_coeff_table[codingset].table, AC_VLC_BITS, 3); - if (index < 0) + if (index >= ff_vc1_ac_sizes[codingset] - 1U) return AVERROR_INVALIDDATA; run = vc1_index_decode_table[codingset][index][0]; level = vc1_index_decode_table[codingset][index][1]; |