Avoid out of bounds access.
---
 libavcodec/vp3.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index 26374cc..40e9498 100644
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -2274,8 +2274,15 @@ static int theora_decode_header(AVCodecContext *avctx, 
GetBitContext *gb)
     skip_bits(gb, 6); /* quality hint */
 
     if (s->theora >= 0x030200) {
+        unsigned int idx;
+
         skip_bits(gb, 5); /* keyframe frequency force */
-        avctx->pix_fmt = theora_pix_fmts[get_bits(gb, 2)];
+
+        idx = get_bits(gb, 2);
+        if (idx == 1 || idx >= FF_ARRAY_ELEMS(theora_pix_fmts))
+            return AVERROR_INVALIDDATA;
+
+        avctx->pix_fmt = theora_pix_fmts[idx];
         skip_bits(gb, 3); /* reserved */
     }
 
@@ -2428,7 +2435,7 @@ static av_cold int theora_decode_init(AVCodecContext 
*avctx)
     int ptype;
     uint8_t *header_start[3];
     int header_len[3];
-    int i;
+    int i, ret;
 
     s->theora = 1;
 
@@ -2460,7 +2467,9 @@ static av_cold int theora_decode_init(AVCodecContext 
*avctx)
 
         switch (ptype) {
         case 0x80:
-            theora_decode_header(avctx, &gb);
+            ret = theora_decode_header(avctx, &gb);
+            if (ret < 0)
+                return ret;
             break;
         case 0x81:
 // FIXME: is this needed? it breaks sometimes
-- 
2.10.0

_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel

Reply via email to