Fix potential buffer overflow for JPEG decoding

author Xiang, Haihao <haihao.xiang@intel.com>

Fri, 15 Mar 2013 07:32:01 +0000 (15:32 +0800)

committer Xiang, Haihao <haihao.xiang@intel.com>

Fri, 15 Mar 2013 07:45:28 +0000 (15:45 +0800)
author Xiang, Haihao <haihao.xiang@intel.com>
Fri, 15 Mar 2013 07:32:01 +0000 (15:32 +0800)
committer Xiang, Haihao <haihao.xiang@intel.com>
Fri, 15 Mar 2013 07:45:28 +0000 (15:45 +0800)
diff --git a/src/gen75_mfd.c b/src/gen75_mfd.c

index 4f08f38..0ac9d5f 100644 (file)
--- a/src/gen75_mfd.c
+++ b/src/gen75_mfd.c
@@ -2406,14 +2406,20 @@ gen75_mfd_jpeg_qm_state(VADriverContextP ctx,
      assert(pic_param->num_components <= 3);
  
      for (index = 0; index < pic_param->num_components; index++) {
-        int qm_type = va_to_gen7_jpeg_qm[pic_param->components[index].component_id - pic_param->components[0].component_id + 1];
+        int id = pic_param->components[index].component_id - pic_param->components[0].component_id + 1;
+        int qm_type;
          unsigned char *qm = iq_matrix->quantiser_table[pic_param->components[index].quantiser_table_selector];
          unsigned char raster_qm[64];
          int j;
  
+        if (id > 4 || id < 1)
+            continue;
+
          if (!iq_matrix->load_quantiser_table[pic_param->components[index].quantiser_table_selector])
              continue;
  
+        qm_type = va_to_gen7_jpeg_qm[id];
+
          for (j = 0; j < 64; j++)
              raster_qm[zigzag_direct[j]] = qm[j];
  
diff --git a/src/gen7_mfd.c b/src/gen7_mfd.c

index c081826..ed463d9 100755 (executable)
--- a/src/gen7_mfd.c
+++ b/src/gen7_mfd.c
@@ -2035,14 +2035,20 @@ gen7_mfd_jpeg_qm_state(VADriverContextP ctx,
      assert(pic_param->num_components <= 3);
  
      for (index = 0; index < pic_param->num_components; index++) {
-        int qm_type = va_to_gen7_jpeg_qm[pic_param->components[index].component_id - pic_param->components[0].component_id + 1];
+        int id = pic_param->components[index].component_id - pic_param->components[0].component_id + 1;
+        int qm_type;
          unsigned char *qm = iq_matrix->quantiser_table[pic_param->components[index].quantiser_table_selector];
          unsigned char raster_qm[64];
          int j;
  
+        if (id > 4 || id < 1)
+            continue;
+
          if (!iq_matrix->load_quantiser_table[pic_param->components[index].quantiser_table_selector])
              continue;
  
+        qm_type = va_to_gen7_jpeg_qm[id];
+
          for (j = 0; j < 64; j++)
              raster_qm[zigzag_direct[j]] = qm[j];
author	Xiang, Haihao <haihao.xiang@intel.com>
	Fri, 15 Mar 2013 07:32:01 +0000 (15:32 +0800)
committer	Xiang, Haihao <haihao.xiang@intel.com>
	Fri, 15 Mar 2013 07:45:28 +0000 (15:45 +0800)
src/gen75_mfd.c		patch \| blob \| history
src/gen7_mfd.c		patch \| blob \| history