From 1afe49b062a959ed0433e4fd9c1b5dff829ae03e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Nov 2011 18:04:17 +0100 Subject: [PATCH] indeo3: out of array read checks for decode_plane() Fixes: avi+indeo3+++1-dog.avi Signed-off-by: Michael Niedermayer --- libavcodec/indeo3.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index b20c3fc676..c22d257fb9 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -798,15 +798,19 @@ static int decode_plane(Indeo3DecodeContext *ctx, AVCodecContext *avctx, int32_t strip_width) { Cell curr_cell; - int num_vectors; + uint32_t num_vectors; /* each plane data starts with mc_vector_count field, */ /* an optional array of motion vectors followed by the vq data */ num_vectors = bytestream_get_le32(&data); + if(num_vectors >= data_size/2) + return AVERROR_INVALIDDATA; ctx->mc_vectors = num_vectors ? data : 0; + data += num_vectors * 2; + data_size-= num_vectors * 2; /* init the bitreader */ - init_get_bits(&ctx->gb, &data[num_vectors * 2], data_size << 3); + init_get_bits(&ctx->gb, data, data_size << 3); ctx->skip_bits = 0; ctx->need_resync = 0;