[FFmpeg-cvslog] wc4: fix out of chroma LUT reads
Michael Niedermayer
git at videolan.org
Sun Mar 4 00:32:59 CET 2012
ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Sun Mar 4 00:13:52 2012 +0100| [8f1bb3d59850932d43a60472ff98c723268a3958] | committer: Michael Niedermayer
wc4: fix out of chroma LUT reads
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8f1bb3d59850932d43a60472ff98c723268a3958
---
libavcodec/xxan.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c
index de55d08..2ab34e1 100644
--- a/libavcodec/xxan.c
+++ b/libavcodec/xxan.c
@@ -162,6 +162,7 @@ static int xan_decode_chroma(AVCodecContext *avctx, AVPacket *avpkt)
int i, j;
const uint8_t *src, *src_end;
const uint8_t *table;
+ int table_size;
int mode, offset, dec_size;
chroma_off = AV_RL32(buf + 4);
@@ -173,6 +174,7 @@ static int xan_decode_chroma(AVCodecContext *avctx, AVPacket *avpkt)
}
src = avpkt->data + 4 + chroma_off;
table = src + 2;
+ table_size = avpkt->data + avpkt->size - table;
mode = bytestream_get_le16(&src);
offset = bytestream_get_le16(&src) * 2;
@@ -200,6 +202,8 @@ static int xan_decode_chroma(AVCodecContext *avctx, AVPacket *avpkt)
return 0;
val = *src++;
if (val) {
+ if (val << 1 >= table_size)
+ return AVERROR_INVALIDDATA;
val = AV_RL16(table + (val << 1));
uval = (val >> 3) & 0xF8;
vval = (val >> 8) & 0xF8;
@@ -220,6 +224,8 @@ static int xan_decode_chroma(AVCodecContext *avctx, AVPacket *avpkt)
return 0;
val = *src++;
if (val) {
+ if (val << 1 >= table_size)
+ return AVERROR_INVALIDDATA;
val = AV_RL16(table + (val << 1));
uval = (val >> 3) & 0xF8;
vval = (val >> 8) & 0xF8;
More information about the ffmpeg-cvslog
mailing list