mss1: improve check if decoded pivot is invalid

The pivot has to lie between 0 and base. Check of ==base is insufficient. Thus replace it by a proper check. Fixes out of array write. Fixes bug #1531. Found-by: Piotr Bandurski <ami_stuff@o2.pl> Signed-off-by: Paul B Mahol <onemda@gmail.com>

mss1: improve check if decoded pivot is invalid
The pivot has to lie between 0 and base. Check of ==base is insufficient. Thus replace it by a proper check. Fixes out of array write. Fixes bug #1531. Found-by: Piotr Bandurski <ami_stuff@o2.pl> Signed-off-by: Paul B Mahol <onemda@gmail.com>
6ad45600 · Paul B Mahol · ab463000 · 6ad45600
Commit 6ad45600 authored Jul 14, 2012 by Paul B Mahol
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

mss1.c libavcodec/mss1.c +1 -1

No files found.
--- a/libavcodec/mss1.c
+++ b/libavcodec/mss1.c
@@ -575,7 +575,7 @@ static int decode_pivot(MSS1Context *ctx, ArithCoder *acoder, int base)
        val = arith_get_number(acoder, (base + 1) / 2 - 2) + 3;
    }

-    if (val == base) {
+    if ((unsigned)val >= base) {
        ctx->corrupted = 1;
        return 0;
    }