diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2012-11-17 01:09:20 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2012-11-17 02:09:56 +0100 |
| commit | 31fce399425b986557ab94a2dd8305b289710f0e (patch) | |
| tree | e39e0309face5de88ecd7df7dea644119ac72dbf /libavcodec/truemotion2.c | |
| parent | c6945228e8ebc3e6252aed452302c1d1101bcde6 (diff) | |
| download | ffmpeg-31fce399425b986557ab94a2dd8305b289710f0e.tar.gz | |
tm2: check for invalid vlcs, fix out of array read
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/truemotion2.c')
| -rw-r--r-- | libavcodec/truemotion2.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 3ef6e2c074..7ef35ff2b6 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -200,6 +200,8 @@ static inline int tm2_get_token(GetBitContext *gb, TM2Codes *code) { int val; val = get_vlc2(gb, code->vlc.table, code->bits, 1); + if(val<0) + return -1; return code->recode[val]; } @@ -325,7 +327,7 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i return AVERROR_INVALIDDATA; } ctx->tokens[stream_id][i] = tm2_get_token(&ctx->gb, &codes); - if (stream_id <= TM2_MOT && ctx->tokens[stream_id][i] >= TM2_DELTAS) { + if (stream_id <= TM2_MOT && ctx->tokens[stream_id][i] >= TM2_DELTAS || ctx->tokens[stream_id][i]<0) { av_log(ctx->avctx, AV_LOG_ERROR, "Invalid delta token index %d for type %d, n=%d\n", ctx->tokens[stream_id][i], stream_id, i); return AVERROR_INVALIDDATA; |