From 9079e99d2c462ec7ef2e89d9e77ee6c3553dacce Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Thu, 21 Jan 2016 22:36:36 +0100 Subject: [PATCH] svq1enc: fix out of bounds reads level can be 5, but there are only four codebooks. Fixes ubsan runtime error: index 5 out of bounds for type 'int8_t [4][96]' Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun --- libavcodec/svq1enc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/svq1enc.c b/libavcodec/svq1enc.c index 1e1745e7b1..d968d36a2a 100644 --- a/libavcodec/svq1enc.c +++ b/libavcodec/svq1enc.c @@ -104,7 +104,9 @@ static int encode_block(SVQ1EncContext *s, uint8_t *src, uint8_t *ref, best_score = 0; // FIXME: Optimize, this does not need to be done multiple times. if (intra) { - codebook_sum = svq1_intra_codebook_sum[level]; + // level is 5 when encode_block is called from svq1_encode_plane + // and always < 4 when called recursively from this function. + codebook_sum = level < 4 ? svq1_intra_codebook_sum[level] : NULL; codebook = ff_svq1_intra_codebooks[level]; mean_vlc = ff_svq1_intra_mean_vlc; multistage_vlc = ff_svq1_intra_multistage_vlc[level]; @@ -117,7 +119,8 @@ static int encode_block(SVQ1EncContext *s, uint8_t *src, uint8_t *ref, } } } else { - codebook_sum = svq1_inter_codebook_sum[level]; + // level is 5 or < 4, see above for details. + codebook_sum = level < 4 ? svq1_inter_codebook_sum[level] : NULL; codebook = ff_svq1_inter_codebooks[level]; mean_vlc = ff_svq1_inter_mean_vlc + 256; multistage_vlc = ff_svq1_inter_multistage_vlc[level];