Browse code
Check for out of bound writes in the QDM2 decoder.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4a7876c6e4e62e94d51e364ba99aae4da7671238)
(cherry picked from commit b08df314dca6946ed644caacb9d3a533a054c0f6)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Laurent Aimar authored on 2011/10/01 07:45:05Showing 1 changed files
| ... | ... |
@@ -1821,6 +1821,8 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) |
| 1821 | 1821 |
|
| 1822 | 1822 |
avctx->channels = s->nb_channels = s->channels = AV_RB32(extradata); |
| 1823 | 1823 |
extradata += 4; |
| 1824 |
+ if (s->channels > MPA_MAX_CHANNELS) |
|
| 1825 |
+ return AVERROR_INVALIDDATA; |
|
| 1824 | 1826 |
|
| 1825 | 1827 |
avctx->sample_rate = AV_RB32(extradata); |
| 1826 | 1828 |
extradata += 4; |
| ... | ... |
@@ -1843,6 +1845,8 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) |
| 1843 | 1843 |
// something like max decodable tones |
| 1844 | 1844 |
s->group_order = av_log2(s->group_size) + 1; |
| 1845 | 1845 |
s->frame_size = s->group_size / 16; // 16 iterations per super block |
| 1846 |
+ if (s->frame_size > FF_ARRAY_ELEMS(s->output_buffer) / 2) |
|
| 1847 |
+ return AVERROR_INVALIDDATA; |
|
| 1846 | 1848 |
|
| 1847 | 1849 |
s->sub_sampling = s->fft_order - 7; |
| 1848 | 1850 |
s->frequency_range = 255 / (1 << (2 - s->sub_sampling)); |