diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2012-03-26 15:16:47 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2012-03-26 15:16:47 +0200 |
| commit | 7d74aaf6985e0f286e10c851e4d7e80fd687a774 (patch) | |
| tree | ba5dd76a616ed4b5d70411732bac87000eea5d17 /libavcodec/qdm2.c | |
| parent | 3b370abf16044893b9f58212f5dbd3e4ae881a1d (diff) | |
qdm2dec: fix out of array read
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/qdm2.c')
| -rw-r--r-- | libavcodec/qdm2.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 5da21d757d..91f50556dd 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -766,7 +766,7 @@ static void fill_coding_method_array (sb_int8_array tone_level_idx, sb_int8_arra * @param sb_min lower subband processed (sb_min included) * @param sb_max higher subband processed (sb_max excluded) */ -static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int length, int sb_min, int sb_max) +static int synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int length, int sb_min, int sb_max) { int sb, j, k, n, ch, run, channels; int joined_stereo, zero_encoding, chs; @@ -780,7 +780,7 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l for (sb=sb_min; sb < sb_max; sb++) build_sb_samples_from_noise (q, sb); - return; + return 0; } for (sb = sb_min; sb < sb_max; sb++) { @@ -900,7 +900,10 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l type34_predictor = samples[0]; type34_first = 0; } else { - samples[0] = type34_delta[qdm2_get_vlc(gb, &vlc_tab_type34, 0, 1)] / type34_div + type34_predictor; + unsigned v = qdm2_get_vlc(gb, &vlc_tab_type34, 0, 1); + if (v >= FF_ARRAY_ELEMS(type34_delta)) + return AVERROR_INVALIDDATA; + samples[0] = type34_delta[v] / type34_div + type34_predictor; type34_predictor = samples[0]; } } else { @@ -936,6 +939,7 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l } // j loop } // channel loop } // subband loop + return 0; } |