xan: Check for out of bound reads in xan_huffman_decode()

author Laurent Aimar <fenrir@videolan.org>

Thu, 29 Sep 2011 20:38:01 +0000 (20:38 +0000)

committer Janne Grunau <janne-libav@jannau.net>

Fri, 7 Oct 2011 14:25:32 +0000 (16:25 +0200)
author Laurent Aimar <fenrir@videolan.org>
Thu, 29 Sep 2011 20:38:01 +0000 (20:38 +0000)
committer Janne Grunau <janne-libav@jannau.net>
Fri, 7 Oct 2011 14:25:32 +0000 (16:25 +0200)
diff --git a/libavcodec/xan.c b/libavcodec/xan.c

index c71a718..3965617 100644 (file)
--- a/libavcodec/xan.c
+++ b/libavcodec/xan.c
@@ -112,7 +112,10 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len,
      init_get_bits(&gb, ptr, ptr_len * 8);
  
      while ( val != 0x16 ) {
-        val = src[val - 0x17 + get_bits1(&gb) * byte];
+        unsigned idx = val - 0x17 + get_bits1(&gb) * byte;
+        if (idx >= 2 * byte)
+            return -1;
+        val = src[idx];
  
          if ( val < 0x16 ) {
              if (dest >= dest_end)
author	Laurent Aimar <fenrir@videolan.org>
	Thu, 29 Sep 2011 20:38:01 +0000 (20:38 +0000)
committer	Janne Grunau <janne-libav@jannau.net>
	Fri, 7 Oct 2011 14:25:32 +0000 (16:25 +0200)