avcodec/mpeg4videodec: Check idx in mpeg4_decode_studio_block()

author Michael Niedermayer <michael@niedermayer.cc>

Sun, 10 Mar 2019 00:40:59 +0000 (01:40 +0100)

committer Michael Niedermayer <michael@niedermayer.cc>

Mon, 11 Mar 2019 23:48:56 +0000 (00:48 +0100)
author Michael Niedermayer <michael@niedermayer.cc>
Sun, 10 Mar 2019 00:40:59 +0000 (01:40 +0100)
committer Michael Niedermayer <michael@niedermayer.cc>
Mon, 11 Mar 2019 23:48:56 +0000 (00:48 +0100)
diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c

index 99b1e1062075753421ac8ebb28f1e4d9a5fe3585..b6f2ae7b7b5220bd00475541c6c1de2f1b20b681 100644 (file)
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -1899,14 +1899,20 @@ static int mpeg4_decode_studio_block(MpegEncContext *s, int32_t block[64], int n
              code >>= 1;
              run = (1 << (additional_code_len - 1)) + code;
              idx += run;
+            if (idx > 63)
+                return AVERROR_INVALIDDATA;
              j = scantable[idx++];
              block[j] = sign ? 1 : -1;
          } else if (group >= 13 && group <= 20) {
              /* Level value (Table B.49) */
+            if (idx > 63)
+                return AVERROR_INVALIDDATA;
              j = scantable[idx++];
              block[j] = get_xbits(&s->gb, additional_code_len);
          } else if (group == 21) {
              /* Escape */
+            if (idx > 63)
+                return AVERROR_INVALIDDATA;
              j = scantable[idx++];
              additional_code_len = s->avctx->bits_per_raw_sample + s->dct_precision + 4;
              flc = get_bits(&s->gb, additional_code_len);
author	Michael Niedermayer <michael@niedermayer.cc>
	Sun, 10 Mar 2019 00:40:59 +0000 (01:40 +0100)
committer	Michael Niedermayer <michael@niedermayer.cc>
	Mon, 11 Mar 2019 23:48:56 +0000 (00:48 +0100)