Browse code
vp6: Fix illegal read.
Found with Address Sanitizer
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit e0966eb140b3569b3d6b5b5008961944ef229c06)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Thierry Foucu authored on 2011/11/18 02:39:52Showing 1 changed files
| ... | ... |
@@ -440,7 +440,8 @@ static void vp6_parse_coeff(VP56Context *s) |
| 440 | 440 |
model1 = model->coeff_dccv[pt]; |
| 441 | 441 |
model2 = model->coeff_dcct[pt][ctx]; |
| 442 | 442 |
|
| 443 |
- for (coeff_idx=0; coeff_idx<64; ) {
|
|
| 443 |
+ coeff_idx = 0; |
|
| 444 |
+ for (;;) {
|
|
| 444 | 445 |
if ((coeff_idx>1 && ct==0) || vp56_rac_get_prob(c, model2[0])) {
|
| 445 | 446 |
/* parse a coeff */ |
| 446 | 447 |
if (vp56_rac_get_prob(c, model2[2])) {
|
| ... | ... |
@@ -481,8 +482,10 @@ static void vp6_parse_coeff(VP56Context *s) |
| 481 | 481 |
run += vp56_rac_get_prob(c, model3[i+8]) << i; |
| 482 | 482 |
} |
| 483 | 483 |
} |
| 484 |
- |
|
| 485 |
- cg = vp6_coeff_groups[coeff_idx+=run]; |
|
| 484 |
+ coeff_idx += run; |
|
| 485 |
+ if (coeff_idx >= 64) |
|
| 486 |
+ break; |
|
| 487 |
+ cg = vp6_coeff_groups[coeff_idx]; |
|
| 486 | 488 |
model1 = model2 = model->coeff_ract[pt][ct][cg]; |
| 487 | 489 |
} |
| 488 | 490 |
|