diff options
| author | Paul B Mahol <onemda@gmail.com> | 2012-07-14 23:27:21 +0000 |
|---|---|---|
| committer | Paul B Mahol <onemda@gmail.com> | 2012-07-15 02:12:02 +0000 |
| commit | 6ad45600313f0df1abf31abdd28f4339dbdc7ca0 (patch) | |
| tree | 16a21717e85adc4011d64e8b15ffe2f49151d664 /libavcodec/mss1.c | |
| parent | ab46300078d6c047c975c43baa71a32ca707e312 (diff) | |
| download | ffmpeg-6ad45600313f0df1abf31abdd28f4339dbdc7ca0.tar.gz | |
mss1: improve check if decoded pivot is invalid
The pivot has to lie between 0 and base.
Check of ==base is insufficient.
Thus replace it by a proper check.
Fixes out of array write.
Fixes bug #1531.
Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Paul B Mahol <onemda@gmail.com>
Diffstat (limited to 'libavcodec/mss1.c')
| -rw-r--r-- | libavcodec/mss1.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/mss1.c b/libavcodec/mss1.c index 302a5b84b1..4be7a1febf 100644 --- a/libavcodec/mss1.c +++ b/libavcodec/mss1.c @@ -575,7 +575,7 @@ static int decode_pivot(MSS1Context *ctx, ArithCoder *acoder, int base) val = arith_get_number(acoder, (base + 1) / 2 - 2) + 3; } - if (val == base) { + if ((unsigned)val >= base) { ctx->corrupted = 1; return 0; } |