Commit 061c4898 authored by Federico Tomassetti's avatar Federico Tomassetti Committed by Luca Barbato

eamad: check for out of bounds read

Bug-Id: CID 1257500
CC: libav-stable@libav.org
Signed-off-by: 's avatarLuca Barbato <lu_zero@gentoo.org>
parent 161442ff
...@@ -145,6 +145,11 @@ static inline void decode_block_intra(MadContext *s, int16_t * block) ...@@ -145,6 +145,11 @@ static inline void decode_block_intra(MadContext *s, int16_t * block)
break; break;
} else if (level != 0) { } else if (level != 0) {
i += run; i += run;
if (i > 63) {
av_log(s->avctx, AV_LOG_ERROR,
"ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
return;
}
j = scantable[i]; j = scantable[i];
level = (level*quant_matrix[j]) >> 4; level = (level*quant_matrix[j]) >> 4;
level = (level-1)|1; level = (level-1)|1;
...@@ -159,6 +164,11 @@ static inline void decode_block_intra(MadContext *s, int16_t * block) ...@@ -159,6 +164,11 @@ static inline void decode_block_intra(MadContext *s, int16_t * block)
run = SHOW_UBITS(re, &s->gb, 6)+1; LAST_SKIP_BITS(re, &s->gb, 6); run = SHOW_UBITS(re, &s->gb, 6)+1; LAST_SKIP_BITS(re, &s->gb, 6);
i += run; i += run;
if (i > 63) {
av_log(s->avctx, AV_LOG_ERROR,
"ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
return;
}
j = scantable[i]; j = scantable[i];
if (level < 0) { if (level < 0) {
level = -level; level = -level;
...@@ -170,10 +180,6 @@ static inline void decode_block_intra(MadContext *s, int16_t * block) ...@@ -170,10 +180,6 @@ static inline void decode_block_intra(MadContext *s, int16_t * block)
level = (level-1)|1; level = (level-1)|1;
} }
} }
if (i > 63) {
av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
return;
}
block[j] = level; block[j] = level;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment