[FFmpeg-cvslog] interplayacm: check for too large b

Sat, 26 Nov 2016 15:42:06 -0800 

ffmpeg | branch: release/3.0 | Andreas Cadhalpun 
<andreas.cadhal...@googlemail.com> | Sun Oct 30 20:47:22 2016 +0100| 
[a1e6daeb1e92abf59e6b5a4229948ca54967f759] | committer: Andreas Cadhalpun

interplayacm: check for too large b

This fixes out-of-bounds reads.

Reviewed-by: Paul B Mahol <one...@gmail.com>
Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
(cherry picked from commit 14e4e26559697cfdea584767be4e68474a0a9c7f)
Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a1e6daeb1e92abf59e6b5a4229948ca54967f759
---

 libavcodec/interplayacm.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c
index a676bcb..2c23fac 100644
--- a/libavcodec/interplayacm.c
+++ b/libavcodec/interplayacm.c
@@ -325,6 +325,10 @@ static int t15(InterplayACMContext *s, unsigned ind, 
unsigned col)
     for (i = 0; i < s->rows; i++) {
         /* b = (x1) + (x2 * 3) + (x3 * 9) */
         b = get_bits(gb, 5);
+        if (b > 26) {
+            av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 26\n", b);
+            return AVERROR_INVALIDDATA;
+        }
 
         n1 =  (mul_3x3[b] & 0x0F) - 1;
         n2 = ((mul_3x3[b] >> 4) & 0x0F) - 1;
@@ -350,6 +354,10 @@ static int t27(InterplayACMContext *s, unsigned ind, 
unsigned col)
     for (i = 0; i < s->rows; i++) {
         /* b = (x1) + (x2 * 5) + (x3 * 25) */
         b = get_bits(gb, 7);
+        if (b > 124) {
+            av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 124\n", b);
+            return AVERROR_INVALIDDATA;
+        }
 
         n1 =  (mul_3x5[b] & 0x0F) - 2;
         n2 = ((mul_3x5[b] >> 4) & 0x0F) - 2;
@@ -374,6 +382,10 @@ static int t37(InterplayACMContext *s, unsigned ind, 
unsigned col)
     for (i = 0; i < s->rows; i++) {
         /* b = (x1) + (x2 * 11) */
         b = get_bits(gb, 7);
+        if (b > 120) {
+            av_log(NULL, AV_LOG_ERROR, "Too large b = %d > 120\n", b);
+            return AVERROR_INVALIDDATA;
+        }
 
         n1 =  (mul_2x11[b] & 0x0F) - 5;
         n2 = ((mul_2x11[b] >> 4) & 0x0F) - 5;

_______________________________________________
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

Reply via email to