alsdec: check opt_order.

Fixes out of array write in quant_cof. Also make sure no invalid opt_order stays in the context. Fixes CVE-2012-2775 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com> (cherry picked from commit 9853e41aa0a6cfff629ff7009685eb8bf8d64e7f) Signed-off-by: Anton Khirnov <anton@khirnov.net>
author: Michael Niedermayer <michaelni@gmx.at> 2012-03-24 01:39:13 +0100
committer: Anton Khirnov <anton@khirnov.net> 2012-09-28 08:20:11 +0200
commit: a1b127515bb79c715933d0d4201e4ef3152b3dcb (patch)
tree: 06895066fd153dacbb3722f2329b0fa6d5feaac9
parent: d9ffa2aca1e438a44d41f3ef3aeb8ef396bcd7b0 (diff)
download: ffmpeg-a1b127515bb79c715933d0d4201e4ef3152b3dcb.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
index 26496bf0f1..d5e09c5d2a 100644
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -663,6 +663,11 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
             int opt_order_length = av_ceil_log2(av_clip((bd->block_length >> 3) - 1,
                                                 2, sconf->max_order + 1));
             *bd->opt_order       = get_bits(gb, opt_order_length);
+            if (*bd->opt_order > sconf->max_order) {
+                *bd->opt_order = sconf->max_order;
+                av_log(avctx, AV_LOG_ERROR, "Predictor order too large!\n");
+                return AVERROR_INVALIDDATA;
+            }
         } else {
             *bd->opt_order = sconf->max_order;
         }
author	Michael Niedermayer <michaelni@gmx.at>	2012-03-24 01:39:13 +0100
committer	Anton Khirnov <anton@khirnov.net>	2012-09-28 08:20:11 +0200
commit	a1b127515bb79c715933d0d4201e4ef3152b3dcb (patch)
tree	06895066fd153dacbb3722f2329b0fa6d5feaac9
parent	d9ffa2aca1e438a44d41f3ef3aeb8ef396bcd7b0 (diff)
download	ffmpeg-a1b127515bb79c715933d0d4201e4ef3152b3dcb.tar.gz