[FFmpeg-cvslog] truemotion1: make sure index does not go out of bounds

Sun Jan 12 16:28:08 CET 2014

ffmpeg | branch: release/1.1 | Anton Khirnov <anton at khirnov.net> | Fri Nov 15 19:06:23 2013 +0100| [7b337b122959b9bf634c31b549892df974f35b40] | committer: Reinhard Tartler

truemotion1: make sure index does not go out of bounds

Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable at libav.org

(cherry picked from commit c918e08b9cc9ce8d06159c51da55ec5ab018039a)
Signed-off-by: Reinhard Tartler <siretart at tauware.de>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7b337b122959b9bf634c31b549892df974f35b40
---

 libavcodec/truemotion1.c |   25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c
index c49f9fe..63cd05b 100644
--- a/libavcodec/truemotion1.c
+++ b/libavcodec/truemotion1.c
@@ -512,6 +512,15 @@ hres,vres,i,i%vres (0 < i < 4)
     index = s->index_stream[index_stream_index++] * 4; \
 }
 
+#define INC_INDEX                                                   \
+do {                                                                \
+    if (index >= 1023) {                                            \
+        av_log(s->avctx, AV_LOG_ERROR, "Invalid index value.\n");   \
+        return;                                                     \
+    }                                                               \
+    index++;                                                        \
+} while (0)
+
 #define APPLY_C_PREDICTOR() \
     predictor_pair = s->c_predictor_table[index]; \
     horiz_pred += (predictor_pair >> 1); \
@@ -524,10 +533,10 @@ hres,vres,i,i%vres (0 < i < 4)
             if (predictor_pair & 1) \
                 GET_NEXT_INDEX() \
             else \
-                index++; \
+                INC_INDEX; \
         } \
     } else \
-        index++;
+        INC_INDEX;
 
 #define APPLY_C_PREDICTOR_24() \
     predictor_pair = s->c_predictor_table[index]; \
@@ -541,10 +550,10 @@ hres,vres,i,i%vres (0 < i < 4)
             if (predictor_pair & 1) \
                 GET_NEXT_INDEX() \
             else \
-                index++; \
+                INC_INDEX; \
         } \
     } else \
-        index++;
+        INC_INDEX;
 
 
 #define APPLY_Y_PREDICTOR() \
@@ -559,10 +568,10 @@ hres,vres,i,i%vres (0 < i < 4)
             if (predictor_pair & 1) \
                 GET_NEXT_INDEX() \
             else \
-                index++; \
+                INC_INDEX; \
         } \
     } else \
-        index++;
+        INC_INDEX;
 
 #define APPLY_Y_PREDICTOR_24() \
     predictor_pair = s->y_predictor_table[index]; \
@@ -576,10 +585,10 @@ hres,vres,i,i%vres (0 < i < 4)
             if (predictor_pair & 1) \
                 GET_NEXT_INDEX() \
             else \
-                index++; \
+                INC_INDEX; \
         } \
     } else \
-        index++;
+        INC_INDEX;
 
 #define OUTPUT_PIXEL_PAIR() \
     *current_pixel_pair = *vert_pred + horiz_pred; \

