From fb3e3808aed843b21dd70a70bdbc4b9f7de6a00b Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Thu, 18 Apr 2013 02:47:10 +0200
Subject: avcodec/bitstream: Check bits in ff_init_vlc_sparse()

Fixes out of array reads

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/bitstream.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'libavcodec')

diff --git a/libavcodec/bitstream.c b/libavcodec/bitstream.c
index 6bcdadb..6598d3e 100644
--- a/libavcodec/bitstream.c
+++ b/libavcodec/bitstream.c
@@ -305,6 +305,10 @@ int ff_init_vlc_sparse(VLC *vlc, int nb_bits, int nb_codes,
         GET_DATA(buf[j].bits, bits, i, bits_wrap, bits_size);\
         if (!(condition))\
             continue;\
+        if (buf[j].bits > 3*nb_bits || buf[j].bits>32) {\
+            av_log(NULL, AV_LOG_ERROR, "Too long VLC in init_vlc\n");\
+            return -1;\
+        }\
         GET_DATA(buf[j].code, codes, i, codes_wrap, codes_size);\
         if (flags & INIT_VLC_LE)\
             buf[j].code = bitswap_32(buf[j].code);\
-- 
cgit v1.1