[SCM] libav/wheezy-security: h264: limit allowed pred modes in ff_h264_check_intra_pred_mode() to 3

Sun Jun 1 21:36:12 UTC 2014

The following commit has been merged in the wheezy-security branch:
commit 51ae8e26af8f5b26efb41edc0fe4812368d16ae9
Author: Anton Khirnov <anton at khirnov.net>
Date:   Thu Nov 28 10:54:35 2013 +0100

    h264: limit allowed pred modes in ff_h264_check_intra_pred_mode() to 3
    
    Higher modes are not allowed for 16x16/chroma, which is what this
    function is used for. Otherwise this function would return 0 (vertical
    prediction) for invalid higher modes, which could result in invalid
    reads.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC:libav-stable at libav.org

diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index d6e1ba1..de4a4f0 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -107,10 +107,10 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h){
  */
 int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma){
     MpegEncContext * const s = &h->s;
-    static const int8_t top [7]= {LEFT_DC_PRED8x8, 1,-1,-1};
-    static const int8_t left[7]= { TOP_DC_PRED8x8,-1, 2,-1,DC_128_PRED8x8};
+    static const int8_t top[4]  = { LEFT_DC_PRED8x8, 1, -1, -1 };
+    static const int8_t left[5] = { TOP_DC_PRED8x8, -1,  2, -1, DC_128_PRED8x8 };
 
-    if(mode > 6U) {
+    if(mode > 3U) {
         av_log(h->s.avctx, AV_LOG_ERROR, "out of range intra chroma pred mode at %d %d\n", s->mb_x, s->mb_y);
         return -1;
     }

-- 
Libav/FFmpeg packaging

