Commit 14e4e265 authored by Andreas Cadhalpun's avatar Andreas Cadhalpun

interplayacm: check for too large b

This fixes out-of-bounds reads.
Reviewed-by: 's avatarPaul B Mahol <onemda@gmail.com>
Signed-off-by: 's avatarAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
parent 2d99101d
...@@ -326,6 +326,10 @@ static int t15(InterplayACMContext *s, unsigned ind, unsigned col) ...@@ -326,6 +326,10 @@ static int t15(InterplayACMContext *s, unsigned ind, unsigned col)
for (i = 0; i < s->rows; i++) { for (i = 0; i < s->rows; i++) {
/* b = (x1) + (x2 * 3) + (x3 * 9) */ /* b = (x1) + (x2 * 3) + (x3 * 9) */
b = get_bits(gb, 5); b = get_bits(gb, 5);
if (b > 26) {
av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 26\n", b);
return AVERROR_INVALIDDATA;
}
n1 = (mul_3x3[b] & 0x0F) - 1; n1 = (mul_3x3[b] & 0x0F) - 1;
n2 = ((mul_3x3[b] >> 4) & 0x0F) - 1; n2 = ((mul_3x3[b] >> 4) & 0x0F) - 1;
...@@ -351,6 +355,10 @@ static int t27(InterplayACMContext *s, unsigned ind, unsigned col) ...@@ -351,6 +355,10 @@ static int t27(InterplayACMContext *s, unsigned ind, unsigned col)
for (i = 0; i < s->rows; i++) { for (i = 0; i < s->rows; i++) {
/* b = (x1) + (x2 * 5) + (x3 * 25) */ /* b = (x1) + (x2 * 5) + (x3 * 25) */
b = get_bits(gb, 7); b = get_bits(gb, 7);
if (b > 124) {
av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 124\n", b);
return AVERROR_INVALIDDATA;
}
n1 = (mul_3x5[b] & 0x0F) - 2; n1 = (mul_3x5[b] & 0x0F) - 2;
n2 = ((mul_3x5[b] >> 4) & 0x0F) - 2; n2 = ((mul_3x5[b] >> 4) & 0x0F) - 2;
...@@ -375,6 +383,10 @@ static int t37(InterplayACMContext *s, unsigned ind, unsigned col) ...@@ -375,6 +383,10 @@ static int t37(InterplayACMContext *s, unsigned ind, unsigned col)
for (i = 0; i < s->rows; i++) { for (i = 0; i < s->rows; i++) {
/* b = (x1) + (x2 * 11) */ /* b = (x1) + (x2 * 11) */
b = get_bits(gb, 7); b = get_bits(gb, 7);
if (b > 120) {
av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 120\n", b);
return AVERROR_INVALIDDATA;
}
n1 = (mul_2x11[b] & 0x0F) - 5; n1 = (mul_2x11[b] & 0x0F) - 5;
n2 = ((mul_2x11[b] >> 4) & 0x0F) - 5; n2 = ((mul_2x11[b] >> 4) & 0x0F) - 5;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment