[FFmpeg-cvslog] eamad: check for out of bounds read

Federico Tomassetti git at videolan.org
Tue Mar 10 13:57:36 CET 2015


ffmpeg | branch: release/1.1 | Federico Tomassetti <ftomassetti at groupon.com> | Wed Feb 18 12:11:44 2015 +0000| [c17da32ba26d2c333bd9cd4afe38a1b36e3d6cba] | committer: Vittorio Giovara

eamad: check for out of bounds read

Bug-Id: CID 1257500
CC: libav-stable at libav.org

Signed-off-by: Luca Barbato <lu_zero at gentoo.org>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c17da32ba26d2c333bd9cd4afe38a1b36e3d6cba
---

 libavcodec/eamad.c |   14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c
index 405cc2a..72eae0f 100644
--- a/libavcodec/eamad.c
+++ b/libavcodec/eamad.c
@@ -134,6 +134,11 @@ static inline void decode_block_intra(MadContext *s, DCTELEM * block)
                 break;
             } else if (level != 0) {
                 i += run;
+                if (i > 63) {
+                    av_log(s->avctx, AV_LOG_ERROR,
+                           "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
+                    return;
+                }
                 j = scantable[i];
                 level = (level*quant_matrix[j]) >> 4;
                 level = (level-1)|1;
@@ -148,6 +153,11 @@ static inline void decode_block_intra(MadContext *s, DCTELEM * block)
                 run = SHOW_UBITS(re, &s->gb, 6)+1; LAST_SKIP_BITS(re, &s->gb, 6);
 
                 i += run;
+                if (i > 63) {
+                    av_log(s->avctx, AV_LOG_ERROR,
+                           "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
+                    return;
+                }
                 j = scantable[i];
                 if (level < 0) {
                     level = -level;
@@ -159,10 +169,6 @@ static inline void decode_block_intra(MadContext *s, DCTELEM * block)
                     level = (level-1)|1;
                 }
             }
-            if (i > 63) {
-                av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
-                return;
-            }
 
             block[j] = level;
         }



More information about the ffmpeg-cvslog mailing list