mss1: improve check if decoded pivot is invalid
authorPaul B Mahol <onemda@gmail.com>
Sat, 14 Jul 2012 23:27:21 +0000 (23:27 +0000)
committerPaul B Mahol <onemda@gmail.com>
Sun, 15 Jul 2012 02:12:02 +0000 (02:12 +0000)
The pivot has to lie between 0 and base.
Check of ==base is insufficient.
Thus replace it by a proper check.

Fixes out of array write.

Fixes bug #1531.

Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Paul B Mahol <onemda@gmail.com>
libavcodec/mss1.c

index 302a5b8..4be7a1f 100644 (file)
@@ -575,7 +575,7 @@ static int decode_pivot(MSS1Context *ctx, ArithCoder *acoder, int base)
         val = arith_get_number(acoder, (base + 1) / 2 - 2) + 3;
     }
 
-    if (val == base) {
+    if ((unsigned)val >= base) {
         ctx->corrupted = 1;
         return 0;
     }