virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-23 12:43:46 +02:00
Code Issues Releases Activity

aic: Validate values read from the bitstream

Browse Source 
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
This commit is contained in:
Martin Storsjö 2013-09-11 23:25:04 +03:00
parent 17d57848fc
commit 0f678c0214
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
libavcodec/aic.c
View File

@ -215,12 +215,14 @@ static int aic_decode_coeffs(GetBitContext *gb, int16_t *dst,
idx = -1; idx = -1;
do { do {
GET_CODE(val, skip_type, skip_bits); GET_CODE(val, skip_type, skip_bits);
if (val < 0)
return AVERROR_INVALIDDATA;
idx += val + 1; idx += val + 1;
if (idx >= num_coeffs) if (idx >= num_coeffs)
break; break;
GET_CODE(val, coeff_type, coeff_bits); GET_CODE(val, coeff_type, coeff_bits);
val++; val++;
if (val >= 0x10000) if (val >= 0x10000 || val < 0)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
dst[scan[idx]] = val; dst[scan[idx]] = val;
} while (idx < num_coeffs - 1); } while (idx < num_coeffs - 1);
@ -230,7 +232,7 @@ static int aic_decode_coeffs(GetBitContext *gb, int16_t *dst,
for (mb = 0; mb < slice_width; mb++) { for (mb = 0; mb < slice_width; mb++) {
for (idx = 0; idx < num_coeffs; idx++) { for (idx = 0; idx < num_coeffs; idx++) {
GET_CODE(val, coeff_type, coeff_bits); GET_CODE(val, coeff_type, coeff_bits);
if (val >= 0x10000) if (val >= 0x10000 || val < 0)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
dst[scan[idx]] = val; dst[scan[idx]] = val;
} }