Browse code
wmaprodec: check num_vec_coeffs for validity
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Michael Niedermayer authored on 2012/04/14 18:07:11Showing 1 changed files
| ... | ... |
@@ -1169,7 +1169,12 @@ static int decode_subframe(WMAProDecodeCtx *s) |
| 1169 | 1169 |
int num_bits = av_log2((s->subframe_len + 3)/4) + 1; |
| 1170 | 1170 |
for (i = 0; i < s->channels_for_cur_subframe; i++) {
|
| 1171 | 1171 |
int c = s->channel_indexes_for_cur_subframe[i]; |
| 1172 |
- s->channel[c].num_vec_coeffs = get_bits(&s->gb, num_bits) << 2; |
|
| 1172 |
+ int num_vec_coeffs = get_bits(&s->gb, num_bits) << 2; |
|
| 1173 |
+ if (num_vec_coeffs > WMAPRO_BLOCK_MAX_SIZE) {
|
|
| 1174 |
+ av_log(s->avctx, AV_LOG_ERROR, "num_vec_coeffs %d is too large\n", num_vec_coeffs); |
|
| 1175 |
+ return AVERROR_INVALIDDATA; |
|
| 1176 |
+ } |
|
| 1177 |
+ s->channel[c].num_vec_coeffs = num_vec_coeffs; |
|
| 1173 | 1178 |
} |
| 1174 | 1179 |
} else {
|
| 1175 | 1180 |
for (i = 0; i < s->channels_for_cur_subframe; i++) {
|