indeo5: check quant_mat
authorMichael Niedermayer <michaelni@gmx.at>
Thu, 31 May 2012 03:01:28 +0000 (05:01 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Sat, 9 Jun 2012 19:07:17 +0000 (21:07 +0200)
prevents out of array read

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8aaa00c3012d425ce50efffadb813ad62d1ff3d5)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/indeo5.c

index 4c6bfd6..eb16726 100644 (file)
@@ -219,6 +219,10 @@ static int decode_gop_header(IVI5DecContext *ctx, AVCodecContext *avctx)
             }
 
             if (band->blk_size == 8) {
+                if(quant_mat >= 5){
+                    av_log(avctx, AV_LOG_ERROR, "quant_mat %d too large!\n", quant_mat);
+                    return -1;
+                }
                 band->intra_base  = &ivi5_base_quant_8x8_intra[quant_mat][0];
                 band->inter_base  = &ivi5_base_quant_8x8_inter[quant_mat][0];
                 band->intra_scale = &ivi5_scale_quant_8x8_intra[quant_mat][0];