Prevent yet another buffer overwrite.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 38229362529ed1619d8ebcc81ecde85b23b45895)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
... | ... |
@@ -1122,11 +1122,12 @@ static int decode_subframe(WMAProDecodeCtx *s) |
1122 | 1122 |
cur_subwoofer_cutoff = s->subwoofer_cutoffs[s->table_idx]; |
1123 | 1123 |
|
1124 | 1124 |
/** configure the decoder for the current subframe */ |
1125 |
+ offset += s->samples_per_frame >> 1; |
|
1126 |
+ |
|
1125 | 1127 |
for (i = 0; i < s->channels_for_cur_subframe; i++) { |
1126 | 1128 |
int c = s->channel_indexes_for_cur_subframe[i]; |
1127 | 1129 |
|
1128 |
- s->channel[c].coeffs = &s->channel[c].out[(s->samples_per_frame >> 1) |
|
1129 |
- + offset]; |
|
1130 |
+ s->channel[c].coeffs = &s->channel[c].out[offset]; |
|
1130 | 1131 |
} |
1131 | 1132 |
|
1132 | 1133 |
s->subframe_len = subframe_len; |
... | ... |
@@ -1177,7 +1178,7 @@ static int decode_subframe(WMAProDecodeCtx *s) |
1177 | 1177 |
for (i = 0; i < s->channels_for_cur_subframe; i++) { |
1178 | 1178 |
int c = s->channel_indexes_for_cur_subframe[i]; |
1179 | 1179 |
int num_vec_coeffs = get_bits(&s->gb, num_bits) << 2; |
1180 |
- if (num_vec_coeffs > WMAPRO_BLOCK_MAX_SIZE) { |
|
1180 |
+ if (num_vec_coeffs + offset > FF_ARRAY_ELEMS(s->channel[c].out)) { |
|
1181 | 1181 |
av_log(s->avctx, AV_LOG_ERROR, "num_vec_coeffs %d is too large\n", num_vec_coeffs); |
1182 | 1182 |
return AVERROR_INVALIDDATA; |
1183 | 1183 |
} |