[FFmpeg-cvslog] indeo3: out of array read checks for decode_plane()

Michael Niedermayer git at videolan.org
Fri Nov 25 18:13:19 CET 2011


ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Fri Nov 25 18:04:17 2011 +0100| [1afe49b062a959ed0433e4fd9c1b5dff829ae03e] | committer: Michael Niedermayer

indeo3: out of array read checks for decode_plane()
Fixes: avi+indeo3+++1-dog.avi

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1afe49b062a959ed0433e4fd9c1b5dff829ae03e
---

 libavcodec/indeo3.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c
index b20c3fc..c22d257 100644
--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -798,15 +798,19 @@ static int decode_plane(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
                         int32_t strip_width)
 {
     Cell            curr_cell;
-    int             num_vectors;
+    uint32_t        num_vectors;
 
     /* each plane data starts with mc_vector_count field, */
     /* an optional array of motion vectors followed by the vq data */
     num_vectors = bytestream_get_le32(&data);
+    if(num_vectors >= data_size/2)
+        return AVERROR_INVALIDDATA;
     ctx->mc_vectors  = num_vectors ? data : 0;
+    data     += num_vectors * 2;
+    data_size-= num_vectors * 2;
 
     /* init the bitreader */
-    init_get_bits(&ctx->gb, &data[num_vectors * 2], data_size << 3);
+    init_get_bits(&ctx->gb, data, data_size << 3);
     ctx->skip_bits   = 0;
     ctx->need_resync = 0;
 



More information about the ffmpeg-cvslog mailing list