avcodec/vc1_block: Fix mqaunt check for negative values

Fixes: out of array access Fixes: ffmpeg_bof_4.avi Fixes: ffmpeg_bof_5.avi Fixes: ffmpeg_bof_6.avi Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart Reviewed-by: Jerome Borsboom <jerome.borsboom@carpalis.nl> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/vc1_block: Fix mqaunt check for negative values
Fixes: out of array access Fixes: ffmpeg_bof_4.avi Fixes: ffmpeg_bof_5.avi Fixes: ffmpeg_bof_6.avi Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart Reviewed-by: Jerome Borsboom <jerome.borsboom@carpalis.nl> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
d08d4a8c · Michael Niedermayer · 5a99e000 · d08d4a8c
Commit d08d4a8c authored Jun 28, 2018 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

vc1_block.c libavcodec/vc1_block.c +1 -1

No files found.
--- a/libavcodec/vc1_block.c
+++ b/libavcodec/vc1_block.c
@@ -207,7 +207,7 @@ static void vc1_put_blocks_clamped(VC1Context *v, int put_signed)
        if ((edges&8) &&                                       \
            s->mb_y == ((s->mb_height >> v->field_mode) - 1))  \
            mquant = -v->altpq;                                \
-        if (!mquant || mquant > 31) {                          \
+        if (!mquant || mquant > 31 || mquant < -31) {                          \
            av_log(v->s.avctx, AV_LOG_ERROR,                   \
                   "Overriding invalid mquant %d\n", mquant);  \
            mquant = 1;                                        \