aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2016-01-05 02:28:10 +0100
committerMichael Niedermayer <michael@niedermayer.cc>2016-01-05 02:55:49 +0100
commiteb8a67de75ef6fd043f5749f6448c1874f149783 (patch)
tree6efa2ab88973f09baba52f950a94c82b21682244
parent43624a669b706168989a3b1ac608943f8cb208d1 (diff)
downloadffmpeg-eb8a67de75ef6fd043f5749f6448c1874f149783.tar.gz
avcodec/dxv: Check idx in CHECKPOINT()
Fixes out of array read Fixes Ticket5098 Fixes Ticket5099 Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavcodec/dxv.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index 4fdfd65404..f1ea2987ae 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -105,9 +105,17 @@ static int decompress_texture_thread(AVCodecContext *avctx, void *arg,
break; \
case 2: \
idx = (bytestream2_get_byte(gbc) + 2) * x; \
+ if (idx > pos) { \
+ av_log(avctx, AV_LOG_ERROR, "idx %d > %d\n", idx, pos); \
+ return AVERROR_INVALIDDATA; \
+ } \
break; \
case 3: \
idx = (bytestream2_get_le16(gbc) + 0x102) * x; \
+ if (idx > pos) { \
+ av_log(avctx, AV_LOG_ERROR, "idx %d > %d\n", idx, pos); \
+ return AVERROR_INVALIDDATA; \
+ } \
break; \
} \
} while(0)