diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2016-01-05 02:28:10 +0100 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2016-01-05 02:55:49 +0100 |
commit | eb8a67de75ef6fd043f5749f6448c1874f149783 (patch) | |
tree | 6efa2ab88973f09baba52f950a94c82b21682244 | |
parent | 43624a669b706168989a3b1ac608943f8cb208d1 (diff) | |
download | ffmpeg-eb8a67de75ef6fd043f5749f6448c1874f149783.tar.gz |
avcodec/dxv: Check idx in CHECKPOINT()
Fixes out of array read
Fixes Ticket5098
Fixes Ticket5099
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r-- | libavcodec/dxv.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c index 4fdfd65404..f1ea2987ae 100644 --- a/libavcodec/dxv.c +++ b/libavcodec/dxv.c @@ -105,9 +105,17 @@ static int decompress_texture_thread(AVCodecContext *avctx, void *arg, break; \ case 2: \ idx = (bytestream2_get_byte(gbc) + 2) * x; \ + if (idx > pos) { \ + av_log(avctx, AV_LOG_ERROR, "idx %d > %d\n", idx, pos); \ + return AVERROR_INVALIDDATA; \ + } \ break; \ case 3: \ idx = (bytestream2_get_le16(gbc) + 0x102) * x; \ + if (idx > pos) { \ + av_log(avctx, AV_LOG_ERROR, "idx %d > %d\n", idx, pos); \ + return AVERROR_INVALIDDATA; \ + } \ break; \ } \ } while(0) |