truemotion1: Check index, fix out of array read
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fd4c1c0b70b5a06dd572d7e27799a2f4c3d9b984)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c
index 1cf56ed..ada1270 100644
--- a/libavcodec/truemotion1.c
+++ b/libavcodec/truemotion1.c
@@ -519,6 +519,10 @@
}
#define APPLY_C_PREDICTOR() \
+ if(index > 1023){\
+ av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \
+ return; \
+ }\
predictor_pair = s->c_predictor_table[index]; \
horiz_pred += (predictor_pair >> 1); \
if (predictor_pair & 1) { \
@@ -536,6 +540,10 @@
index++;
#define APPLY_C_PREDICTOR_24() \
+ if(index > 1023){\
+ av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \
+ return; \
+ }\
predictor_pair = s->c_predictor_table[index]; \
horiz_pred += (predictor_pair >> 1); \
if (predictor_pair & 1) { \
@@ -554,6 +562,10 @@
#define APPLY_Y_PREDICTOR() \
+ if(index > 1023){\
+ av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \
+ return; \
+ }\
predictor_pair = s->y_predictor_table[index]; \
horiz_pred += (predictor_pair >> 1); \
if (predictor_pair & 1) { \
@@ -571,6 +583,10 @@
index++;
#define APPLY_Y_PREDICTOR_24() \
+ if(index > 1023){\
+ av_log(s->avctx, AV_LOG_ERROR, " index %d went out of bounds\n", index); \
+ return; \
+ }\
predictor_pair = s->y_predictor_table[index]; \
horiz_pred += (predictor_pair >> 1); \
if (predictor_pair & 1) { \
