diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2012-03-10 22:36:15 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2012-03-10 23:12:42 +0100 |
| commit | 8e9a0a3568d915387c35645ea7d85945b98d2197 (patch) | |
| tree | bde82915a09ed64104eaf5eafffb6355a1daa46e | |
| parent | ecc31630f9a16ead4272a078c281afcb4db87f21 (diff) | |
| download | ffmpeg-8e9a0a3568d915387c35645ea7d85945b98d2197.tar.gz | |
mpc7: check subband index
This fixes a overread
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavcodec/mpc7.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/mpc7.c b/libavcodec/mpc7.c index 6e4b8501c5..711f0da9f2 100644 --- a/libavcodec/mpc7.c +++ b/libavcodec/mpc7.c @@ -248,6 +248,10 @@ static int mpc7_decode_frame(AVCodecContext * avctx, void *data, if(i) t = get_vlc2(&gb, hdr_vlc.table, MPC7_HDR_BITS, 1) - 5; if(t == 4) bands[i].res[ch] = get_bits(&gb, 4); else bands[i].res[ch] = bands[i-1].res[ch] + t; + if (bands[i].res[ch] < -1 || bands[i].res[ch] > 17) { + av_log(avctx, AV_LOG_ERROR, "subband index invalid\n"); + return AVERROR_INVALIDDATA; + } } if(bands[i].res[0] || bands[i].res[1]){ |