Browse code
avcodec/dvbsubdec: Check entry_id
Fixes: randomly writing over the array end
Fixes: 1473/clusterfuzz-testcase-minimized-5768907824562176
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer authored on 2017/05/11 22:18:50Showing 1 changed files
| ... | ... |
@@ -1103,9 +1103,9 @@ static int dvbsub_parse_clut_segment(AVCodecContext *avctx, |
| 1103 | 1103 |
return AVERROR_INVALIDDATA; |
| 1104 | 1104 |
} |
| 1105 | 1105 |
|
| 1106 |
- if (depth & 0x80) |
|
| 1106 |
+ if (depth & 0x80 && entry_id < 4) |
|
| 1107 | 1107 |
clut->clut4[entry_id] = RGBA(r,g,b,255 - alpha); |
| 1108 |
- else if (depth & 0x40) |
|
| 1108 |
+ else if (depth & 0x40 && entry_id < 16) |
|
| 1109 | 1109 |
clut->clut16[entry_id] = RGBA(r,g,b,255 - alpha); |
| 1110 | 1110 |
else if (depth & 0x20) |
| 1111 | 1111 |
clut->clut256[entry_id] = RGBA(r,g,b,255 - alpha); |