diracdec: Fix integer overflow leading to out of global array read.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 9729f140ae073f1df2041b6c5fd2068592eb9c48) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2012-01-29 03:38:58 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2012-03-16 15:59:21 +0100
commit: 9f253ebb41c5365edc406bf73bf1c483befc6ee4 (patch)
tree: c45b5fcec6a325713eb261abfdc1b134ffd6b6f6
parent: 6242dae507dbe1b7961e34a5e5e05292e7101ba1 (diff)
download: ffmpeg-9f253ebb41c5365edc406bf73bf1c483befc6ee4.tar.gz
1 files changed, 8 insertions, 3 deletions
diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 03e7d0abde..c96b37aa4e 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -1172,7 +1172,7 @@ static void propagate_block_data(DiracBlock *block, int stride, int size)
  * Dirac Specification ->
  * 12. Block motion data syntax
  */
-static void dirac_unpack_block_motion_data(DiracContext *s)
+static int dirac_unpack_block_motion_data(DiracContext *s)
 {
     GetBitContext *gb = &s->gb;
     uint8_t *sbsplit = s->sbsplit;
@@ -1192,7 +1192,9 @@ static void dirac_unpack_block_motion_data(DiracContext *s)
     ff_dirac_init_arith_decoder(arith, gb, svq3_get_ue_golomb(gb));     /* svq3_get_ue_golomb(gb) is the length */
     for (y = 0; y < s->sbheight; y++) {
         for (x = 0; x < s->sbwidth; x++) {
-            int split  = dirac_get_arith_uint(arith, CTX_SB_F1, CTX_SB_DATA);
+            unsigned int split  = dirac_get_arith_uint(arith, CTX_SB_F1, CTX_SB_DATA);
+            if (split > 2)
+                return -1;
             sbsplit[x] = (split + pred_sbsplit(sbsplit+x, s->sbwidth, x, y)) % 3;
         }
         sbsplit += s->sbwidth;
@@ -1221,6 +1223,8 @@ static void dirac_unpack_block_motion_data(DiracContext *s)
                     propagate_block_data(block, s->blwidth, step);
                 }
         }
+
+    return 0;
 }
 
 static int weight(int i, int blen, int offset)
@@ -1675,7 +1679,8 @@ static int dirac_decode_picture_header(DiracContext *s)
     if (s->num_refs) {
         if (dirac_unpack_prediction_parameters(s))  /* [DIRAC_STD] 11.2 Picture Prediction Data. picture_prediction() */
             return -1;
-        dirac_unpack_block_motion_data(s);          /* [DIRAC_STD] 12. Block motion data syntax                       */
+        if (dirac_unpack_block_motion_data(s))      /* [DIRAC_STD] 12. Block motion data syntax                       */
+            return -1;
     }
     if (dirac_unpack_idwt_params(s))                /* [DIRAC_STD] 11.3 Wavelet transform data                        */
         return -1;
author	Michael Niedermayer <michaelni@gmx.at>	2012-01-29 03:38:58 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2012-03-16 15:59:21 +0100
commit	9f253ebb41c5365edc406bf73bf1c483befc6ee4 (patch)
tree	c45b5fcec6a325713eb261abfdc1b134ffd6b6f6
parent	6242dae507dbe1b7961e34a5e5e05292e7101ba1 (diff)
download	ffmpeg-9f253ebb41c5365edc406bf73bf1c483befc6ee4.tar.gz