From a44cb89b0f53d55dd1814138ba6526ecaf985f12 Mon Sep 17 00:00:00 2001
From: Benoit Fouet <benoit.fouet@free.fr>
Date: Mon, 26 Jan 2009 09:41:23 +0000
Subject: Fix an exploit in indeo by checking we are not writing out of the
 strip array. Fixes issue 655

Originally committed as revision 16802 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavcodec/indeo3.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'libavcodec/indeo3.c')

diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c
index eea27f927c..d041be75ee 100644
--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -252,6 +252,10 @@ static void iv_Decode_Chunk(Indeo3DecodeContext *s,
 
         if(cmd == 0) {
             strip++;
+            if(strip >= strip_tbl + FF_ARRAY_ELEMS(strip_tbl)) {
+                av_log(s->avctx, AV_LOG_WARNING, "out of range strip\n");
+                break;
+            }
             memcpy(strip, strip-1, sizeof(*strip));
             strip->split_flag = 1;
             strip->split_direction = 0;
@@ -259,6 +263,10 @@ static void iv_Decode_Chunk(Indeo3DecodeContext *s,
             continue;
         } else if(cmd == 1) {
             strip++;
+            if(strip >= strip_tbl + FF_ARRAY_ELEMS(strip_tbl)) {
+                av_log(s->avctx, AV_LOG_WARNING, "out of range strip\n");
+                break;
+            }
             memcpy(strip, strip-1, sizeof(*strip));
             strip->split_flag = 1;
             strip->split_direction = 1;
-- 
cgit v1.2.3