From ab1c7113f9ec1e169d654990dc5379af1570d2ce Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sat, 1 Feb 2014 17:07:40 +0100
Subject: avcodec/vc1: Check bfraction_lut_index

Fixes: out of array read
Fixes: asan_static-oob_1b40507_2849_SA10143.vc1
Fixes: asan_static-oob_1b40a15_2849_cov_1182297305_SA10143.vc1
Fixes: asan_static-oob_1b40f15_2849_cov_2159513432_SA10143.vc1
Fixes: asan_static-oob_1b40f15_2849_cov_3230311510_SA10143.vc1
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit dcf5bfbdb6137ffdca66e0b7c2929ced42732951)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/vc1.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c
index 728c7defe8..b9a6fdfb52 100644
--- a/libavcodec/vc1.c
+++ b/libavcodec/vc1.c
@@ -628,7 +628,13 @@ static void rotate_luts(VC1Context *v)
 }
 
 static int read_bfraction(VC1Context *v, GetBitContext* gb) {
-    v->bfraction_lut_index = get_vlc2(gb, ff_vc1_bfraction_vlc.table, VC1_BFRACTION_VLC_BITS, 1);
+    int bfraction_lut_index = get_vlc2(gb, ff_vc1_bfraction_vlc.table, VC1_BFRACTION_VLC_BITS, 1);
+
+    if (bfraction_lut_index == 21 || bfraction_lut_index < 0) {
+        av_log(v->s.avctx, AV_LOG_ERROR, "bfraction invalid\n");
+        return AVERROR_INVALIDDATA;
+    }
+    v->bfraction_lut_index = bfraction_lut_index;
     v->bfraction           = ff_vc1_bfraction_lut[v->bfraction_lut_index];
     return 0;
 }
-- 
cgit v1.2.3