Fix an exploit in indeo by checking we are not writing out of the strip array.

Fixes issue 655 git-svn-id: file:///var/local/repositories/ffmpeg/trunk@16802 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b

Fix an exploit in indeo by checking we are not writing out of the strip array.
Fixes issue 655 git-svn-id: file:///var/local/repositories/ffmpeg/trunk@16802 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
3c078bc6 · benoit · f0e3d4d6 · 3c078bc6
Commit 3c078bc6 authored Jan 26, 2009 by benoit
Show whitespace changes
Inline Side-by-side

Showing with 8 additions and 0 deletions

libavcodec/indeo3.c libavcodec/indeo3.c +8 -0

No files found.
--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -252,6 +252,10 @@ static void iv_Decode_Chunk(Indeo3DecodeContext *s,

        if(cmd == 0) {
            strip++;
+            if(strip >= strip_tbl + FF_ARRAY_ELEMS(strip_tbl)) {
+                av_log(s->avctx, AV_LOG_WARNING, "out of range strip\n");
+                break;
+            }
            memcpy(strip, strip-1, sizeof(*strip));
            strip->split_flag = 1;
            strip->split_direction = 0;
@@ -259,6 +263,10 @@ static void iv_Decode_Chunk(Indeo3DecodeContext *s,
            continue;
        } else if(cmd == 1) {
            strip++;
+            if(strip >= strip_tbl + FF_ARRAY_ELEMS(strip_tbl)) {
+                av_log(s->avctx, AV_LOG_WARNING, "out of range strip\n");
+                break;
+            }
            memcpy(strip, strip-1, sizeof(*strip));
            strip->split_flag = 1;
            strip->split_direction = 1;