From eb8a67de75ef6fd043f5749f6448c1874f149783 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Tue, 5 Jan 2016 02:28:10 +0100
Subject: [PATCH] avcodec/dxv: Check idx in CHECKPOINT()

Fixes out of array read

Fixes Ticket5098
Fixes Ticket5099

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/dxv.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index 4fdfd65404d..f1ea2987aef 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -105,9 +105,17 @@ static int decompress_texture_thread(AVCodecContext *avctx, void *arg,
             break;                                                            \
         case 2:                                                               \
             idx = (bytestream2_get_byte(gbc) + 2) * x;                        \
+            if (idx > pos) {                                                  \
+                av_log(avctx, AV_LOG_ERROR, "idx %d > %d\n", idx, pos);       \
+                return AVERROR_INVALIDDATA;                                   \
+            }                                                                 \
             break;                                                            \
         case 3:                                                               \
             idx = (bytestream2_get_le16(gbc) + 0x102) * x;                    \
+            if (idx > pos) {                                                  \
+                av_log(avctx, AV_LOG_ERROR, "idx %d > %d\n", idx, pos);       \
+                return AVERROR_INVALIDDATA;                                   \
+            }                                                                 \
             break;                                                            \
         }                                                                     \
     } while(0)
-- 
GitLab