aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2019-08-15 18:47:54 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2019-11-11 20:18:47 +0100
commitffaa89b5ad0daa503b469f699741291362a27cf6 (patch)
tree3c3ed11501a233cb92eee4809030be654cef451a
parent77b92f757a60c2aaa9a9b4ba63825489382ad0c4 (diff)
downloadffmpeg-ffaa89b5ad0daa503b469f699741291362a27cf6.tar.gz
avcodec/vc1_block: Check for double escapes
Fixes: out of array read Fixes: 16331/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3IMAGE_fuzzer-5672735195267072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 6962fd586e1a9a98828866dcfb4114af30c8c756) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat
-rw-r--r--libavcodec/vc1_block.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c
index 05ffed45f2..1f2244e16f 100644
--- a/libavcodec/vc1_block.c
+++ b/libavcodec/vc1_block.c
@@ -507,7 +507,7 @@ static int vc1_decode_ac_coeff(VC1Context *v, int *last, int *skip,
int escape = decode210(gb);
if (escape != 2) {
index = get_vlc2(gb, ff_vc1_ac_coeff_table[codingset].table, AC_VLC_BITS, 3);
- if (index < 0)
+ if (index >= ff_vc1_ac_sizes[codingset] - 1U)
return AVERROR_INVALIDDATA;
run = vc1_index_decode_table[codingset][index][0];
level = vc1_index_decode_table[codingset][index][1];
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-14 17:00:08 +0000