indeo4: check quant_mat more fully.
authorMichael Niedermayer <michaelni@gmx.at>
Mon, 23 Apr 2012 19:40:02 +0000 (21:40 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Mon, 23 Apr 2012 19:59:34 +0000 (21:59 +0200)
quant_mats valid range depends on the block size.
This fixes a global array overread.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/indeo4.c

index 45ff6197c516c2d8efadde68048093ebe25bd85c..6615b63ce26233eef5fbc1f8706eedb265d37572 100644 (file)
@@ -420,7 +420,11 @@ static int decode_band_hdr(IVI4DecContext *ctx, IVIBandDesc *band,
             }
             band->quant_mat = quant_mat;
         }
-
+        if (quant_index_to_tab[band->quant_mat] > 4 && band->blk_size == 4) {
+            av_log(avctx, AV_LOG_ERROR, "Invalid quant matrix for 4x4 block encountered!\n");
+            band->quant_mat = 0;
+            return AVERROR_INVALIDDATA;
+        }
         /* decode block huffman codebook */
         if (ff_ivi_dec_huff_desc(&ctx->gb, get_bits1(&ctx->gb), IVI_BLK_HUFF,
                                  &band->blk_vlc, avctx))