avcodec/vc1: Check bfraction_lut_index

Fixes: out of array read Fixes: asan_static-oob_1b40507_2849_SA10143.vc1 Fixes: asan_static-oob_1b40a15_2849_cov_1182297305_SA10143.vc1 Fixes: asan_static-oob_1b40f15_2849_cov_2159513432_SA10143.vc1 Fixes: asan_static-oob_1b40f15_2849_cov_3230311510_SA10143.vc1 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2014-02-01 17:07:40 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2014-02-01 17:10:48 +0100
commit: dcf5bfbdb6137ffdca66e0b7c2929ced42732951 (patch)
tree: 5d36cfce192b64692ee8dc8089d451afb0946745
parent: 388b4cf86ed5ec27d35eb5069769db12a4e31af0 (diff)
download: ffmpeg-dcf5bfbdb6137ffdca66e0b7c2929ced42732951.tar.gz
1 files changed, 7 insertions, 1 deletions
diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c
index 085020938a..832ba4c111 100644
--- a/libavcodec/vc1.c
+++ b/libavcodec/vc1.c
@@ -614,7 +614,13 @@ static void rotate_luts(VC1Context *v)
 }
 
 static int read_bfraction(VC1Context *v, GetBitContext* gb) {
-    v->bfraction_lut_index = get_vlc2(gb, ff_vc1_bfraction_vlc.table, VC1_BFRACTION_VLC_BITS, 1);
+    int bfraction_lut_index = get_vlc2(gb, ff_vc1_bfraction_vlc.table, VC1_BFRACTION_VLC_BITS, 1);
+
+    if (bfraction_lut_index == 21 || bfraction_lut_index < 0) {
+        av_log(v->s.avctx, AV_LOG_ERROR, "bfraction invalid\n");
+        return AVERROR_INVALIDDATA;
+    }
+    v->bfraction_lut_index = bfraction_lut_index;
     v->bfraction           = ff_vc1_bfraction_lut[v->bfraction_lut_index];
     return 0;
 }
author	Michael Niedermayer <michaelni@gmx.at>	2014-02-01 17:07:40 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2014-02-01 17:10:48 +0100
commit	dcf5bfbdb6137ffdca66e0b7c2929ced42732951 (patch)
tree	5d36cfce192b64692ee8dc8089d451afb0946745
parent	388b4cf86ed5ec27d35eb5069769db12a4e31af0 (diff)
download	ffmpeg-dcf5bfbdb6137ffdca66e0b7c2929ced42732951.tar.gz