Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/FFmpeg/FFmpeg.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/libavcodec/mpeg4videodec.c
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2018-07-03 23:48:32 +0300
committerMichael Niedermayer <michael@niedermayer.cc>2018-07-05 00:14:24 +0300
commit5aba5b89d0b1d73164d3b81764828bb8b20ff32a (patch)
tree49962e13445339bd09977b5bd3d23028ddc57702 /libavcodec/mpeg4videodec.c
parente37741d26a1ef2d07e2ccf4e1bc9699a12576111 (diff)
avcodec/mpeg4videodec: Check for bitstream end in read_quant_matrix_ext()
Fixes: out of array read Fixes: asff-crash-0e53d0dc491dfdd507530b66562812fbd4c36678 Found-by: Paul Ch <paulcher@icloud.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavcodec/mpeg4videodec.c')
-rw-r--r--libavcodec/mpeg4videodec.c11
1 files changed, 10 insertions, 1 deletions
diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index 2df525e03a..24c280df46 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -2867,11 +2867,13 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb)
return 0;
}
-static void read_quant_matrix_ext(MpegEncContext *s, GetBitContext *gb)
+static int read_quant_matrix_ext(MpegEncContext *s, GetBitContext *gb)
{
int i, j, v;
if (get_bits1(gb)) {
+ if (get_bits_left(gb) < 64*8)
+ return AVERROR_INVALIDDATA;
/* intra_quantiser_matrix */
for (i = 0; i < 64; i++) {
v = get_bits(gb, 8);
@@ -2882,6 +2884,8 @@ static void read_quant_matrix_ext(MpegEncContext *s, GetBitContext *gb)
}
if (get_bits1(gb)) {
+ if (get_bits_left(gb) < 64*8)
+ return AVERROR_INVALIDDATA;
/* non_intra_quantiser_matrix */
for (i = 0; i < 64; i++) {
get_bits(gb, 8);
@@ -2889,6 +2893,8 @@ static void read_quant_matrix_ext(MpegEncContext *s, GetBitContext *gb)
}
if (get_bits1(gb)) {
+ if (get_bits_left(gb) < 64*8)
+ return AVERROR_INVALIDDATA;
/* chroma_intra_quantiser_matrix */
for (i = 0; i < 64; i++) {
v = get_bits(gb, 8);
@@ -2898,6 +2904,8 @@ static void read_quant_matrix_ext(MpegEncContext *s, GetBitContext *gb)
}
if (get_bits1(gb)) {
+ if (get_bits_left(gb) < 64*8)
+ return AVERROR_INVALIDDATA;
/* chroma_non_intra_quantiser_matrix */
for (i = 0; i < 64; i++) {
get_bits(gb, 8);
@@ -2905,6 +2913,7 @@ static void read_quant_matrix_ext(MpegEncContext *s, GetBitContext *gb)
}
next_start_code_studio(gb);
+ return 0;
}
static void extension_and_user_data(MpegEncContext *s, GetBitContext *gb, int id)
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-21 16:00:17 +0300