aic: Validate values read from the bitstream

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö <martin@martin.st>

aic: Validate values read from the bitstream
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö <martin@martin.st>
0f678c02 · Martin Storsjö · 17d57848 · 0f678c02
Commit 0f678c02 authored Sep 11, 2013 by Martin Storsjö
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 2 deletions

aic.c libavcodec/aic.c +4 -2

No files found.
--- a/libavcodec/aic.c
+++ b/libavcodec/aic.c
@@ -215,12 +215,14 @@ static int aic_decode_coeffs(GetBitContext *gb, int16_t *dst,
            idx = -1;
            do {
                GET_CODE(val, skip_type, skip_bits);
+                if (val < 0)
+                    return AVERROR_INVALIDDATA;
                idx += val + 1;
                if (idx >= num_coeffs)
                    break;
                GET_CODE(val, coeff_type, coeff_bits);
                val++;
-                if (val >= 0x10000)
+                if (val >= 0x10000 || val < 0)
                    return AVERROR_INVALIDDATA;
                dst[scan[idx]] = val;
            } while (idx < num_coeffs - 1);
@@ -230,7 +232,7 @@ static int aic_decode_coeffs(GetBitContext *gb, int16_t *dst,
        for (mb = 0; mb < slice_width; mb++) {
            for (idx = 0; idx < num_coeffs; idx++) {
                GET_CODE(val, coeff_type, coeff_bits);
-                if (val >= 0x10000)
+                if (val >= 0x10000 || val < 0)
                    return AVERROR_INVALIDDATA;
                dst[scan[idx]] = val;
            }