Browse code
Check for out of bound writes in the QDM2 decoder.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
Laurent Aimar authored on 2011/10/01 07:45:05Showing 1 changed files
| ... | ... |
@@ -77,6 +77,7 @@ do { \
|
| 77 | 77 |
#define SAMPLES_NEEDED_2(why) \ |
| 78 | 78 |
av_log (NULL,AV_LOG_INFO,"This file triggers some missing code. Please contact the developers.\nPosition: %s\n",why); |
| 79 | 79 |
|
| 80 |
+#define QDM2_MAX_FRAME_SIZE 512 |
|
| 80 | 81 |
|
| 81 | 82 |
typedef int8_t sb_int8_array[2][30][64]; |
| 82 | 83 |
|
| ... | ... |
@@ -169,7 +170,7 @@ typedef struct {
|
| 169 | 169 |
/// I/O data |
| 170 | 170 |
const uint8_t *compressed_data; |
| 171 | 171 |
int compressed_size; |
| 172 |
- float output_buffer[1024]; |
|
| 172 |
+ float output_buffer[QDM2_MAX_FRAME_SIZE * 2]; |
|
| 173 | 173 |
|
| 174 | 174 |
/// Synthesis filter |
| 175 | 175 |
MPADSPContext mpadsp; |
| ... | ... |
@@ -1798,6 +1799,8 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) |
| 1798 | 1798 |
|
| 1799 | 1799 |
avctx->channels = s->nb_channels = s->channels = AV_RB32(extradata); |
| 1800 | 1800 |
extradata += 4; |
| 1801 |
+ if (s->channels > MPA_MAX_CHANNELS) |
|
| 1802 |
+ return AVERROR_INVALIDDATA; |
|
| 1801 | 1803 |
|
| 1802 | 1804 |
avctx->sample_rate = AV_RB32(extradata); |
| 1803 | 1805 |
extradata += 4; |
| ... | ... |
@@ -1819,6 +1822,8 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) |
| 1819 | 1819 |
// something like max decodable tones |
| 1820 | 1820 |
s->group_order = av_log2(s->group_size) + 1; |
| 1821 | 1821 |
s->frame_size = s->group_size / 16; // 16 iterations per super block |
| 1822 |
+ if (s->frame_size > QDM2_MAX_FRAME_SIZE) |
|
| 1823 |
+ return AVERROR_INVALIDDATA; |
|
| 1822 | 1824 |
|
| 1823 | 1825 |
s->sub_sampling = s->fft_order - 7; |
| 1824 | 1826 |
s->frequency_range = 255 / (1 << (2 - s->sub_sampling)); |