dnxhddec: fix integer overflow / index check

Fixes out of array read

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2013-01-30 19:31:45 +01:00
parent b926cc7834
commit 4a2da83a78

View File

@ -180,7 +180,7 @@ static int dnxhd_decode_header(DNXHDContext *ctx, const uint8_t *buf, int buf_si
for (i = 0; i < ctx->mb_height; i++) {
ctx->mb_scan_index[i] = AV_RB32(buf + 0x170 + (i<<2));
av_dlog(ctx->avctx, "mb scan index %d\n", ctx->mb_scan_index[i]);
if (buf_size < ctx->mb_scan_index[i] + 0x280) {
if (buf_size < ctx->mb_scan_index[i] + 0x280LL) {
av_log(ctx->avctx, AV_LOG_ERROR, "invalid mb scan index\n");
return -1;
}