diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2012-04-23 21:40:02 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2012-04-23 21:59:34 +0200 |
| commit | 29545741266a03332f2758c7ba4f77f362c3668d (patch) | |
| tree | f33aa00e1d13da6aa769c8a9e14407c07bb8d678 /libavcodec | |
| parent | 53253a0b83f1e9cfb6cc08a62364051ff5d69c09 (diff) | |
| download | ffmpeg-29545741266a03332f2758c7ba4f77f362c3668d.tar.gz | |
indeo4: check quant_mat more fully.
quant_mats valid range depends on the block size.
This fixes a global array overread.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/indeo4.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index 45ff6197c5..6615b63ce2 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -420,7 +420,11 @@ static int decode_band_hdr(IVI4DecContext *ctx, IVIBandDesc *band, } band->quant_mat = quant_mat; } - + if (quant_index_to_tab[band->quant_mat] > 4 && band->blk_size == 4) { + av_log(avctx, AV_LOG_ERROR, "Invalid quant matrix for 4x4 block encountered!\n"); + band->quant_mat = 0; + return AVERROR_INVALIDDATA; + } /* decode block huffman codebook */ if (ff_ivi_dec_huff_desc(&ctx->gb, get_bits1(&ctx->gb), IVI_BLK_HUFF, &band->blk_vlc, avctx)) |