Commit 657875b1 authored by Michael Niedermayer's avatar Michael Niedermayer

avcodec/aic: Fix vlc value checks

Fixes out of array accesses

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent 30df9789
...@@ -201,7 +201,8 @@ static int aic_decode_coeffs(GetBitContext *gb, int16_t *dst, ...@@ -201,7 +201,8 @@ static int aic_decode_coeffs(GetBitContext *gb, int16_t *dst,
int has_skips, coeff_type, coeff_bits, skip_type, skip_bits; int has_skips, coeff_type, coeff_bits, skip_type, skip_bits;
const int num_coeffs = aic_num_band_coeffs[band]; const int num_coeffs = aic_num_band_coeffs[band];
const uint8_t *scan = aic_scan[band]; const uint8_t *scan = aic_scan[band];
int mb, idx, val; int mb, idx;
unsigned val;
has_skips = get_bits1(gb); has_skips = get_bits1(gb);
coeff_type = get_bits1(gb); coeff_type = get_bits1(gb);
...@@ -215,6 +216,8 @@ static int aic_decode_coeffs(GetBitContext *gb, int16_t *dst, ...@@ -215,6 +216,8 @@ static int aic_decode_coeffs(GetBitContext *gb, int16_t *dst,
idx = -1; idx = -1;
do { do {
GET_CODE(val, skip_type, skip_bits); GET_CODE(val, skip_type, skip_bits);
if (val >= 0x10000)
return AVERROR_INVALIDDATA;
idx += val + 1; idx += val + 1;
if (idx >= num_coeffs) if (idx >= num_coeffs)
break; break;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment