From bbeb29133b55b7256d18f5aaab8b5c8e919a173a Mon Sep 17 00:00:00 2001
From: Alex Converse <alex.converse@gmail.com>
Date: Tue, 28 Feb 2012 11:50:22 -0800
Subject: adpcm: Clip step_index values read from the bitstream at the
 beginning of each frame.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
---
 libavcodec/adpcm.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

(limited to 'libavcodec/adpcm.c')

diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c
index bd86ab0e61..302f2ffe57 100644
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -696,7 +696,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
         for (channel = 0; channel < avctx->channels; channel++) {
             cs = &c->status[channel];
             cs->predictor  = (int16_t)bytestream_get_le16(&src);
-            cs->step_index = *src++;
+            cs->step_index = av_clip(*src++, 0, 88);
             src++;
             *samples++ = cs->predictor;
         }
@@ -719,8 +719,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
 
         c->status[0].predictor  = (int16_t)AV_RL16(src + 10);
         c->status[1].predictor  = (int16_t)AV_RL16(src + 12);
-        c->status[0].step_index = src[14];
-        c->status[1].step_index = src[15];
+        c->status[0].step_index = av_clip(src[14], 0, 88);
+        c->status[1].step_index = av_clip(src[15], 0, 88);
         /* sign extend the predictors */
         src += 16;
         diff_channel = c->status[1].predictor;
@@ -760,7 +760,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
         for (channel = 0; channel < avctx->channels; channel++) {
             cs = &c->status[channel];
             cs->predictor  = (int16_t)bytestream_get_le16(&src);
-            cs->step_index = *src++;
+            cs->step_index = av_clip(*src++, 0, 88);
             src++;
         }
 
@@ -823,7 +823,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
         src += 4; // skip sample count (already read)
 
         for (i=0; i<=st; i++)
-            c->status[i].step_index = bytestream_get_le32(&src);
+            c->status[i].step_index = av_clip(bytestream_get_le32(&src), 0, 88);
         for (i=0; i<=st; i++)
             c->status[i].predictor  = bytestream_get_le32(&src);
 
@@ -1037,11 +1037,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
     case CODEC_ID_ADPCM_IMA_SMJPEG:
         if (avctx->codec->id == CODEC_ID_ADPCM_IMA_AMV) {
             c->status[0].predictor = sign_extend(bytestream_get_le16(&src), 16);
-            c->status[0].step_index = bytestream_get_le16(&src);
+            c->status[0].step_index = av_clip(bytestream_get_le16(&src), 0, 88);
             src += 4;
         } else {
             c->status[0].predictor = sign_extend(bytestream_get_be16(&src), 16);
-            c->status[0].step_index = bytestream_get_byte(&src);
+            c->status[0].step_index = av_clip(bytestream_get_byte(&src), 0, 88);
             src += 1;
         }
 
-- 
cgit v1.2.3