diff options
| author | Laurent Aimar <fenrir@videolan.org> | 2011-09-28 02:45:54 +0400 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2011-10-01 22:53:44 +0400 |
| commit | f9efe1d76e2c7fc302337506c42c5fd50ea36b5a (patch) | |
| tree | 75dbce8c93ff86e77980817be3da0649f798743a /libavcodec/xan.c | |
| parent | 626f11b3bc92011896ae2502788adb423cbd74d9 (diff) | |
Check for out of bound reads in xan_huffman_decode() of the xan decoder.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit c8b835954ae4aef797112afda3b52f8dfe3c7b74)
Diffstat (limited to 'libavcodec/xan.c')
| -rw-r--r-- | libavcodec/xan.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/libavcodec/xan.c b/libavcodec/xan.c index b90353967d..fe9eece61a 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -114,7 +114,10 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, init_get_bits(&gb, ptr, ptr_len * 8); while ( val != 0x16 ) { - val = src[val - 0x17 + get_bits1(&gb) * byte]; + unsigned idx = val - 0x17 + get_bits1(&gb) * byte; + if (idx >= 2 * byte) + return -1; + val = src[idx]; if ( val < 0x16 ) { if (dest >= dest_end) |