eamad: check for out of bounds read
authorFederico Tomassetti <ftomassetti@groupon.com>
Wed, 18 Feb 2015 12:11:44 +0000 (12:11 +0000)
committerLuca Barbato <lu_zero@gentoo.org>
Mon, 23 Feb 2015 14:06:18 +0000 (15:06 +0100)
Bug-Id: CID 1257500
CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
libavcodec/eamad.c

index a226a83..a76d935 100644 (file)
@@ -145,6 +145,11 @@ static inline void decode_block_intra(MadContext *s, int16_t * block)
                 break;
             } else if (level != 0) {
                 i += run;
+                if (i > 63) {
+                    av_log(s->avctx, AV_LOG_ERROR,
+                           "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
+                    return;
+                }
                 j = scantable[i];
                 level = (level*quant_matrix[j]) >> 4;
                 level = (level-1)|1;
@@ -159,6 +164,11 @@ static inline void decode_block_intra(MadContext *s, int16_t * block)
                 run = SHOW_UBITS(re, &s->gb, 6)+1; LAST_SKIP_BITS(re, &s->gb, 6);
 
                 i += run;
+                if (i > 63) {
+                    av_log(s->avctx, AV_LOG_ERROR,
+                           "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
+                    return;
+                }
                 j = scantable[i];
                 if (level < 0) {
                     level = -level;
@@ -170,10 +180,6 @@ static inline void decode_block_intra(MadContext *s, int16_t * block)
                     level = (level-1)|1;
                 }
             }
-            if (i > 63) {
-                av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
-                return;
-            }
 
             block[j] = level;
         }