Commit 161442ff authored by Federico Tomassetti's avatar Federico Tomassetti Committed by Luca Barbato

mdec: check for out of bounds read

Bug-Id: CID 1257501
CC: libav-stable@libav.org
Signed-off-by: 's avatarLuca Barbato <lu_zero@gentoo.org>
parent fe208ca5
...@@ -87,6 +87,11 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n) ...@@ -87,6 +87,11 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n)
break; break;
} else if (level != 0) { } else if (level != 0) {
i += run; i += run;
if (i > 63) {
av_log(a->avctx, AV_LOG_ERROR,
"ac-tex damaged at %d %d\n", a->mb_x, a->mb_y);
return AVERROR_INVALIDDATA;
}
j = scantable[i]; j = scantable[i];
level = (level * qscale * quant_matrix[j]) >> 3; level = (level * qscale * quant_matrix[j]) >> 3;
level = (level ^ SHOW_SBITS(re, &a->gb, 1)) - SHOW_SBITS(re, &a->gb, 1); level = (level ^ SHOW_SBITS(re, &a->gb, 1)) - SHOW_SBITS(re, &a->gb, 1);
...@@ -97,6 +102,11 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n) ...@@ -97,6 +102,11 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n)
UPDATE_CACHE(re, &a->gb); UPDATE_CACHE(re, &a->gb);
level = SHOW_SBITS(re, &a->gb, 10); SKIP_BITS(re, &a->gb, 10); level = SHOW_SBITS(re, &a->gb, 10); SKIP_BITS(re, &a->gb, 10);
i += run; i += run;
if (i > 63) {
av_log(a->avctx, AV_LOG_ERROR,
"ac-tex damaged at %d %d\n", a->mb_x, a->mb_y);
return AVERROR_INVALIDDATA;
}
j = scantable[i]; j = scantable[i];
if (level < 0) { if (level < 0) {
level = -level; level = -level;
...@@ -108,10 +118,6 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n) ...@@ -108,10 +118,6 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n)
level = (level - 1) | 1; level = (level - 1) | 1;
} }
} }
if (i > 63) {
av_log(a->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", a->mb_x, a->mb_y);
return AVERROR_INVALIDDATA;
}
block[j] = level; block[j] = level;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment