diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2011-11-25 18:04:17 +0100 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2011-11-25 18:04:17 +0100 |
commit | 1afe49b062a959ed0433e4fd9c1b5dff829ae03e (patch) | |
tree | f9a6e8e1a66a99d38b15754f3428b22f6f35a234 /libavcodec/indeo3.c | |
parent | e9e642cbfbf36285f60d1dba00103f068b077940 (diff) | |
download | ffmpeg-1afe49b062a959ed0433e4fd9c1b5dff829ae03e.tar.gz |
indeo3: out of array read checks for decode_plane()
Fixes: avi+indeo3+++1-dog.avi
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/indeo3.c')
-rw-r--r-- | libavcodec/indeo3.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index b20c3fc676..c22d257fb9 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -798,15 +798,19 @@ static int decode_plane(Indeo3DecodeContext *ctx, AVCodecContext *avctx, int32_t strip_width) { Cell curr_cell; - int num_vectors; + uint32_t num_vectors; /* each plane data starts with mc_vector_count field, */ /* an optional array of motion vectors followed by the vq data */ num_vectors = bytestream_get_le32(&data); + if(num_vectors >= data_size/2) + return AVERROR_INVALIDDATA; ctx->mc_vectors = num_vectors ? data : 0; + data += num_vectors * 2; + data_size-= num_vectors * 2; /* init the bitreader */ - init_get_bits(&ctx->gb, &data[num_vectors * 2], data_size << 3); + init_get_bits(&ctx->gb, data, data_size << 3); ctx->skip_bits = 0; ctx->need_resync = 0; |