From: "Ronald S. Bultje" <[email protected]>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: [email protected]
---
libavcodec/xxan.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c
index 86b4195..6dedcb0 100644
--- a/libavcodec/xxan.c
+++ b/libavcodec/xxan.c
@@ -162,7 +162,7 @@ static int xan_decode_chroma(AVCodecContext *avctx,
unsigned chroma_off)
int i, j;
const uint8_t *src, *src_end;
const uint8_t *table;
- int mode, offset, dec_size;
+ int mode, offset, dec_size, table_size;
if (!chroma_off)
return 0;
@@ -173,6 +173,7 @@ static int xan_decode_chroma(AVCodecContext *avctx,
unsigned chroma_off)
bytestream2_seek(&s->gb, chroma_off + 4, SEEK_SET);
mode = bytestream2_get_le16(&s->gb);
table = s->gb.buffer;
+ table_size = bytestream2_get_bytes_left(&s->gb) >> 1;
offset = bytestream2_get_le16(&s->gb) * 2;
if (offset >= bytestream2_get_bytes_left(&s->gb)) {
@@ -196,7 +197,7 @@ static int xan_decode_chroma(AVCodecContext *avctx,
unsigned chroma_off)
for (j = 0; j < avctx->height >> 1; j++) {
for (i = 0; i < avctx->width >> 1; i++) {
val = *src++;
- if (val) {
+ if (val && val < table_size) {
val = AV_RL16(table + (val << 1));
uval = (val >> 3) & 0xF8;
vval = (val >> 8) & 0xF8;
@@ -216,7 +217,7 @@ static int xan_decode_chroma(AVCodecContext *avctx,
unsigned chroma_off)
for (j = 0; j < avctx->height >> 2; j++) {
for (i = 0; i < avctx->width >> 1; i += 2) {
val = *src++;
- if (val) {
+ if (val && val < table_size) {
val = AV_RL16(table + (val << 1));
uval = (val >> 3) & 0xF8;
vval = (val >> 8) & 0xF8;
--
1.7.9.2
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
