From 0ab3687924457cb4fd81897bd39ab3cc5b699588 Mon Sep 17 00:00:00 2001
From: Alex Converse <alex.converse@gmail.com>
Date: Thu, 9 Feb 2012 17:11:55 -0800
Subject: dv: Fix small overread in audio frequency table.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
---
 libavformat/dv.c | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'libavformat/dv.c')

diff --git a/libavformat/dv.c b/libavformat/dv.c
index 5be6118a7a..0201a80b31 100644
--- a/libavformat/dv.c
+++ b/libavformat/dv.c
@@ -121,6 +121,9 @@ static int dv_extract_audio(uint8_t* frame, uint8_t* ppcm[4],
     if (quant > 1)
         return -1; /* unsupported quantization */
 
+    if (freq >= FF_ARRAY_ELEMS(dv_audio_frequency))
+        return AVERROR_INVALIDDATA;
+
     size = (sys->audio_min_samples[freq] + smpls) * 4; /* 2ch, 2bytes */
     half_ch = sys->difseg_size / 2;
 
@@ -203,6 +206,12 @@ static int dv_extract_audio_info(DVDemuxContext* c, uint8_t* frame)
     stype = (as_pack[3] & 0x1f);      /* 0 - 2CH, 2 - 4CH, 3 - 8CH */
     quant =  as_pack[4] & 0x07;       /* 0 - 16bit linear, 1 - 12bit nonlinear */
 
+    if (freq >= FF_ARRAY_ELEMS(dv_audio_frequency)) {
+        av_log(c->fctx, AV_LOG_ERROR,
+               "Unrecognized audio sample rate index (%d)\n", freq);
+        return 0;
+    }
+
     if (stype > 3) {
         av_log(c->fctx, AV_LOG_ERROR, "stype %d is invalid\n", stype);
         c->ach = 0;
-- 
cgit v1.2.3