From patchwork Mon Jan 30 01:31:08 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
X-Patchwork-Id: 2365
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.103.89.21 with SMTP id n21csp1247588vsb;
	Sun, 29 Jan 2017 17:31:19 -0800 (PST)
X-Received: by 10.223.152.18 with SMTP id v18mr16165866wrb.78.1485739879645;
	Sun, 29 Jan 2017 17:31:19 -0800 (PST)
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id
	b203si11388666wme.154.2017.01.29.17.31.18;
	Sun, 29 Jan 2017 17:31:19 -0800 (PST)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	dkim=neutral (body hash did not verify) header.i=@googlemail.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
	dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE)
	header.from=googlemail.com
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2E18E68A4DA;
	Mon, 30 Jan 2017 03:31:14 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-wm0-f67.google.com (mail-wm0-f67.google.com
	[74.125.82.67])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id B61CD68A224
	for <ffmpeg-devel@ffmpeg.org>; Mon, 30 Jan 2017 03:31:07 +0200 (EET)
Received: by mail-wm0-f67.google.com with SMTP id c85so73950154wmi.1
	for <ffmpeg-devel@ffmpeg.org>; Sun, 29 Jan 2017 17:31:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=googlemail.com; s=20161025;
	h=from:to:cc:subject:message-id:date:user-agent:mime-version
	:content-transfer-encoding;
	bh=I2Kl0S12F2SLPdsO+d+q17+6W2jyz7EKRjcVKDVstJU=;
	b=rj7t8fVJ4MfUVI5vtLGryYyAJSrWrOwzqH6+LKPswDiyclSyIXnu+5/aLNzZKnGHZr
	8qvqyu/dqnOAsTpX+1HFm5ecUfcQj9xcFdQhUiT3Va96Rwe3USwLjeuRxlcWughbqVjf
	vsg17o+doGajorzUBVZ9ciANteG2HYBB9rgI9ROHEBl7M+8lcTKvPKAYsYbgRazWeZNw
	qARf7QTTdy19+8su06EKB0nh9a1MzrYmbU+5poypRMdkGcEfil/wZ/UX+ZxNLyU0hh91
	7elgmlLI1VBSiOtM4Zwx4LLAIGlByNukIF4aNajDl/dNGpXG5luUk9IX+YtY0J9aX5Ay
	LHbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:message-id:date:user-agent
	:mime-version:content-transfer-encoding;
	bh=I2Kl0S12F2SLPdsO+d+q17+6W2jyz7EKRjcVKDVstJU=;
	b=sy/zzPJOsNhNM9k5ukkN8V6ptXJruoEpoFuckXsBDqo5gALODOCxrl4YvP1tbPY+oi
	hOEdO8IeYEXah4eapMAZqvjIFfMtbJOUYqGi+36FcghfQxV+YKqPCRccM0W8NvCRKdUr
	uw6dFU6VuyL2ZXhIJto6SQUk4J73w2yMbuKlyTwm73iS8z8hLwxi2+pz/i7D0G/o8az8
	njpNvQ7SM+rZqVvL+tU4O6EXk6OavwBnc2MLgThvDqwtuAqvqhUJN4IKt7TN9PGmT44A
	YuGmYO35Pl7D5Lw9e1UwaAr0Miu6R+RgYaJxk4QUlbO28S70wokUZwz9TZVKqe3kEqLD
	rWLw==
X-Gm-Message-State: 
 AIkVDXKaW0iZeTxj2hEZc23PPguarJ0MDwj4kt8jwEHGjK2Knzkp9ijBQh9w8dbIstiYzw==
X-Received: by 10.28.45.213 with SMTP id t204mr9298546wmt.113.1485739869340;
	Sun, 29 Jan 2017 17:31:09 -0800 (PST)
Received: from [192.168.2.21] (p5B07262A.dip0.t-ipconnect.de. [91.7.38.42])
	by smtp.googlemail.com with ESMTPSA id
	10sm8260102wmi.23.2017.01.29.17.31.08
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Sun, 29 Jan 2017 17:31:08 -0800 (PST)
From: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
X-Google-Original-From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Message-ID: <7b5404a4-fae1-44b0-b97c-6c249ea03280@googlemail.com>
Date: Mon, 30 Jan 2017 02:31:08 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
	Thunderbird/45.6.0
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH] speedhq: make sure the block index is not
	negative
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Cc: "Steinar H. Gunderson" <steinar+ffmpeg@gunderson.no>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes out-of-bounds writes.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
---
 libavcodec/speedhq.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/speedhq.c b/libavcodec/speedhq.c
index 385f779f83..6ae1e0f8df 100644
--- a/libavcodec/speedhq.c
+++ b/libavcodec/speedhq.c
@@ -198,7 +198,7 @@ static inline int decode_alpha_block(const SHQContext *s, GetBitContext *gb, uin
 
             if (run == 128) break;
             i += run;
-            if (i >= 128)
+            if (i < 0 || i >= 128)
                 return AVERROR_INVALIDDATA;
 
             UPDATE_CACHE_LE(re, gb);