From: Michael Niedermayer <michaelni@gmx.at>
Date: Wed, 28 Mar 2012 08:44:43 +0000 (+0200)
Subject: vc1dec: Fix global array overread.
X-Git-Url: https://git.sesse.net/?a=commitdiff_plain;h=a60a4d704149ab51bd27b63ae763c1d26d075013;p=ffmpeg

vc1dec: Fix global array overread.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---

diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c
index d538c74c3e2..d2923b9cf27 100644
--- a/libavcodec/vc1dec.c
+++ b/libavcodec/vc1dec.c
@@ -1049,8 +1049,8 @@ static void vc1_mc_4mv_chroma4(VC1Context *v)
             mquant = v->altpq;                                 \
         if ((edges&8) && s->mb_y == (s->mb_height - 1))        \
             mquant = v->altpq;                                 \
-        if (!mquant) {                                 \
-            av_log(v->s.avctx,AV_LOG_ERROR, "zero mquant\n");   \
+        if (!mquant || mquant > 31) {                          \
+            av_log(v->s.avctx, AV_LOG_ERROR, "invalid mquant %d\n", mquant);   \
             mquant = 1;                                \
         }                                              \
     }