indeo5: check quant_mat

prevents out of array read

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c
index 3c7242a8246e95c53de58e3a74d55ee4c7e79d7e..e9896906446e4dd5e50a8558c208b170d0af8dec 100644 (file)
--- a/libavcodec/indeo5.c
+++ b/libavcodec/indeo5.c
@@ -199,6 +199,10 @@ static int decode_gop_header(IVI45DecContext *ctx, AVCodecContext *avctx)
             }
 
             if (band->blk_size == 8) {
+                if(quant_mat >= 5){
+                    av_log(avctx, AV_LOG_ERROR, "quant_mat %d too large!\n", quant_mat);
+                    return -1;
+                }
                 band->intra_base  = &ivi5_base_quant_8x8_intra[quant_mat][0];
                 band->inter_base  = &ivi5_base_quant_8x8_inter[quant_mat][0];
                 band->intra_scale = &ivi5_scale_quant_8x8_intra[quant_mat][0];