Fix potential buffer overflow for JPEG decoding

Signed-off-by: Xiang, Haihao <haihao.xiang@intel.com>
author: Xiang, Haihao <haihao.xiang@intel.com> 2013-03-15 15:32:01 +0800
committer: Xiang, Haihao <haihao.xiang@intel.com> 2013-03-15 15:45:28 +0800
commit: a38598bfb10429f2a50e7f6f907f06cb7a5c30a7 (patch)
tree: d40ce10154646e043baf430d513ae276b40498eb
parent: 79be26ba60cd66e6377bbd8a6c580b9e8a88a4f1 (diff)
download: vaapi-intel-driver-a38598bfb10429f2a50e7f6f907f06cb7a5c30a7.tar.gz
vaapi-intel-driver-a38598bfb10429f2a50e7f6f907f06cb7a5c30a7.tar.bz2
vaapi-intel-driver-a38598bfb10429f2a50e7f6f907f06cb7a5c30a7.zip
2 files changed, 14 insertions, 2 deletions
diff --git a/src/gen75_mfd.c b/src/gen75_mfd.c
index 4f08f38..0ac9d5f 100644
--- a/src/gen75_mfd.c
+++ b/src/gen75_mfd.c
@@ -2406,14 +2406,20 @@ gen75_mfd_jpeg_qm_state(VADriverContextP ctx,
     assert(pic_param->num_components <= 3);
 
     for (index = 0; index < pic_param->num_components; index++) {
-        int qm_type = va_to_gen7_jpeg_qm[pic_param->components[index].component_id - pic_param->components[0].component_id + 1];
+        int id = pic_param->components[index].component_id - pic_param->components[0].component_id + 1;
+        int qm_type;
         unsigned char *qm = iq_matrix->quantiser_table[pic_param->components[index].quantiser_table_selector];
         unsigned char raster_qm[64];
         int j;
 
+        if (id > 4 || id < 1)
+            continue;
+
         if (!iq_matrix->load_quantiser_table[pic_param->components[index].quantiser_table_selector])
             continue;
 
+        qm_type = va_to_gen7_jpeg_qm[id];
+
         for (j = 0; j < 64; j++)
             raster_qm[zigzag_direct[j]] = qm[j];
 
diff --git a/src/gen7_mfd.c b/src/gen7_mfd.c
index c081826..ed463d9 100755
--- a/src/gen7_mfd.c
+++ b/src/gen7_mfd.c
@@ -2035,14 +2035,20 @@ gen7_mfd_jpeg_qm_state(VADriverContextP ctx,
     assert(pic_param->num_components <= 3);
 
     for (index = 0; index < pic_param->num_components; index++) {
-        int qm_type = va_to_gen7_jpeg_qm[pic_param->components[index].component_id - pic_param->components[0].component_id + 1];
+        int id = pic_param->components[index].component_id - pic_param->components[0].component_id + 1;
+        int qm_type;
         unsigned char *qm = iq_matrix->quantiser_table[pic_param->components[index].quantiser_table_selector];
         unsigned char raster_qm[64];
         int j;
 
+        if (id > 4 || id < 1)
+            continue;
+
         if (!iq_matrix->load_quantiser_table[pic_param->components[index].quantiser_table_selector])
             continue;
 
+        qm_type = va_to_gen7_jpeg_qm[id];
+
         for (j = 0; j < 64; j++)
             raster_qm[zigzag_direct[j]] = qm[j];
author	Xiang, Haihao <haihao.xiang@intel.com>	2013-03-15 15:32:01 +0800
committer	Xiang, Haihao <haihao.xiang@intel.com>	2013-03-15 15:45:28 +0800
commit	a38598bfb10429f2a50e7f6f907f06cb7a5c30a7 (patch)
tree	d40ce10154646e043baf430d513ae276b40498eb
parent	79be26ba60cd66e6377bbd8a6c580b9e8a88a4f1 (diff)
download	vaapi-intel-driver-a38598bfb10429f2a50e7f6f907f06cb7a5c30a7.tar.gz vaapi-intel-driver-a38598bfb10429f2a50e7f6f907f06cb7a5c30a7.tar.bz2 vaapi-intel-driver-a38598bfb10429f2a50e7f6f907f06cb7a5c30a7.zip