From 0f678c0214dccb355ed8955077a2bea46984fbc8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 11 Sep 2013 23:25:04 +0300 Subject: [PATCH] aic: Validate values read from the bitstream MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö --- libavcodec/aic.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/aic.c b/libavcodec/aic.c index e46c00349a..f295249f30 100644 --- a/libavcodec/aic.c +++ b/libavcodec/aic.c @@ -215,12 +215,14 @@ static int aic_decode_coeffs(GetBitContext *gb, int16_t *dst, idx = -1; do { GET_CODE(val, skip_type, skip_bits); + if (val < 0) + return AVERROR_INVALIDDATA; idx += val + 1; if (idx >= num_coeffs) break; GET_CODE(val, coeff_type, coeff_bits); val++; - if (val >= 0x10000) + if (val >= 0x10000 || val < 0) return AVERROR_INVALIDDATA; dst[scan[idx]] = val; } while (idx < num_coeffs - 1); @@ -230,7 +232,7 @@ static int aic_decode_coeffs(GetBitContext *gb, int16_t *dst, for (mb = 0; mb < slice_width; mb++) { for (idx = 0; idx < num_coeffs; idx++) { GET_CODE(val, coeff_type, coeff_bits); - if (val >= 0x10000) + if (val >= 0x10000 || val < 0) return AVERROR_INVALIDDATA; dst[scan[idx]] = val; }