Fixes: out of array read
Fixes: asff-crash-0e53d0dc491dfdd507530b66562812fbd4c36678
Found-by: Paul Ch <paulc...@icloud.com>
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
libavcodec/mpeg4videodec.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index 2df525e03a..24c280df46 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -2867,11 +2867,13 @@ static int decode_vop_header(Mpeg4DecContext *ctx,
GetBitContext *gb)
return 0;
}
-static void read_quant_matrix_ext(MpegEncContext *s, GetBitContext *gb)
+static int read_quant_matrix_ext(MpegEncContext *s, GetBitContext *gb)
{
int i, j, v;
if (get_bits1(gb)) {
+ if (get_bits_left(gb) < 64*8)
+ return AVERROR_INVALIDDATA;
/* intra_quantiser_matrix */
for (i = 0; i < 64; i++) {
v = get_bits(gb, 8);
@@ -2882,6 +2884,8 @@ static void read_quant_matrix_ext(MpegEncContext *s,
GetBitContext *gb)
}
if (get_bits1(gb)) {
+ if (get_bits_left(gb) < 64*8)
+ return AVERROR_INVALIDDATA;
/* non_intra_quantiser_matrix */
for (i = 0; i < 64; i++) {
get_bits(gb, 8);
@@ -2889,6 +2893,8 @@ static void read_quant_matrix_ext(MpegEncContext *s,
GetBitContext *gb)
}
if (get_bits1(gb)) {
+ if (get_bits_left(gb) < 64*8)
+ return AVERROR_INVALIDDATA;
/* chroma_intra_quantiser_matrix */
for (i = 0; i < 64; i++) {
v = get_bits(gb, 8);
@@ -2898,6 +2904,8 @@ static void read_quant_matrix_ext(MpegEncContext *s,
GetBitContext *gb)
}
if (get_bits1(gb)) {
+ if (get_bits_left(gb) < 64*8)
+ return AVERROR_INVALIDDATA;
/* chroma_non_intra_quantiser_matrix */
for (i = 0; i < 64; i++) {
get_bits(gb, 8);
@@ -2905,6 +2913,7 @@ static void read_quant_matrix_ext(MpegEncContext *s,
GetBitContext *gb)
}
next_start_code_studio(gb);
+ return 0;
}
static void extension_and_user_data(MpegEncContext *s, GetBitContext *gb, int
id)
--
2.18.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
