Fix invalid reads in VC1 decoder
authorReimar Döffinger <Reimar.Doeffinger@gmx.de>
Sat, 19 Feb 2011 10:33:01 +0000 (11:33 +0100)
committerReinhard Tartler <siretart@tauware.de>
Fri, 18 Mar 2011 16:01:08 +0000 (17:01 +0100)
Patch discussed and taken from https://roundup.ffmpeg.org/issue2584
(cherry picked from commit 2bbec1eda46d907605772a8b6e8263caa4bc4c82)

Change related to CVE-2011-0723

libavcodec/vc1dec.c

index 52392c3..abcc5ec 100644 (file)
@@ -1365,7 +1365,7 @@ static void vc1_decode_ac_coeff(VC1Context *v, int *last, int *skip, int *value,
     if (index != vc1_ac_sizes[codingset] - 1) {
         run = vc1_index_decode_table[codingset][index][0];
         level = vc1_index_decode_table[codingset][index][1];
-        lst = index >= vc1_last_decode_table[codingset];
+        lst = index >= vc1_last_decode_table[codingset] || get_bits_left(gb) < 0;
         if(get_bits1(gb))
             level = -level;
     } else {