From 905988fe1a8accbc1ab93120aa4cd29252b81cce Mon Sep 17 00:00:00 2001
From: Federico Tomassetti <ftomassetti@groupon.com>
Date: Wed, 18 Feb 2015 12:11:44 +0000
Subject: [PATCH] eamad: check for out of bounds read

Bug-Id: CID 1257500
CC: libav-stable@libav.org

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
---
 libavcodec/eamad.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c
index 0d109828a0..8c3f357f6f 100644
--- a/libavcodec/eamad.c
+++ b/libavcodec/eamad.c
@@ -138,6 +138,11 @@ static inline void decode_block_intra(MadContext * t, DCTELEM * block)
                 break;
             } else if (level != 0) {
                 i += run;
+                if (i > 63) {
+                    av_log(s->avctx, AV_LOG_ERROR,
+                           "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
+                    return;
+                }
                 j = scantable[i];
                 level = (level*quant_matrix[j]) >> 4;
                 level = (level-1)|1;
@@ -152,6 +157,11 @@ static inline void decode_block_intra(MadContext * t, DCTELEM * block)
                 run = SHOW_UBITS(re, &s->gb, 6)+1; LAST_SKIP_BITS(re, &s->gb, 6);
 
                 i += run;
+                if (i > 63) {
+                    av_log(s->avctx, AV_LOG_ERROR,
+                           "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
+                    return;
+                }
                 j = scantable[i];
                 if (level < 0) {
                     level = -level;
@@ -163,10 +173,6 @@ static inline void decode_block_intra(MadContext * t, DCTELEM * block)
                     level = (level-1)|1;
                 }
             }
-            if (i > 63) {
-                av_log(s->avctx, AV_LOG_ERROR, "ac-tex damaged at %d %d\n", s->mb_x, s->mb_y);
-                return;
-            }
 
             block[j] = level;
         }