tm2: check for invalid vlcs, fix out of array read

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2012-11-17 04:09:20 +0400
committer: Michael Niedermayer <michaelni@gmx.at> 2012-11-17 05:09:56 +0400
commit: 31fce399425b986557ab94a2dd8305b289710f0e (patch)
tree: e39e0309face5de88ecd7df7dea644119ac72dbf /libavcodec
parent: c6945228e8ebc3e6252aed452302c1d1101bcde6 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c
index 3ef6e2c074..7ef35ff2b6 100644
--- a/libavcodec/truemotion2.c
+++ b/libavcodec/truemotion2.c
@@ -200,6 +200,8 @@ static inline int tm2_get_token(GetBitContext *gb, TM2Codes *code)
 {
     int val;
     val = get_vlc2(gb, code->vlc.table, code->bits, 1);
+    if(val<0)
+        return -1;
     return code->recode[val];
 }
 
@@ -325,7 +327,7 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i
                 return AVERROR_INVALIDDATA;
             }
             ctx->tokens[stream_id][i] = tm2_get_token(&ctx->gb, &codes);
-            if (stream_id <= TM2_MOT && ctx->tokens[stream_id][i] >= TM2_DELTAS) {
+            if (stream_id <= TM2_MOT && ctx->tokens[stream_id][i] >= TM2_DELTAS || ctx->tokens[stream_id][i]<0) {
                 av_log(ctx->avctx, AV_LOG_ERROR, "Invalid delta token index %d for type %d, n=%d\n",
                        ctx->tokens[stream_id][i], stream_id, i);
                 return AVERROR_INVALIDDATA;
author	Michael Niedermayer <michaelni@gmx.at>	2012-11-17 04:09:20 +0400
committer	Michael Niedermayer <michaelni@gmx.at>	2012-11-17 05:09:56 +0400
commit	31fce399425b986557ab94a2dd8305b289710f0e (patch)
tree	e39e0309face5de88ecd7df7dea644119ac72dbf /libavcodec
parent	c6945228e8ebc3e6252aed452302c1d1101bcde6 (diff)