qdm2: Check data block size for bytes to bits overflow.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit dac56d9ce01eb9963f28f26b97a81db5cbd46c1c) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
author: Alex Converse <alex.converse@gmail.com> 2012-01-25 15:27:11 -0800
committer: Reinhard Tartler <siretart@tauware.de> 2012-02-26 09:09:26 +0100
commit: e364f507183634a9134eea0e004c8ae448e54469 (patch)
tree: f4f47427a8412a2d5a33d7a4c65239d290f97339
parent: 571a4cf273a84b6f7f38697b462e667d4f0fddc4 (diff)
download: ffmpeg-e364f507183634a9134eea0e004c8ae448e54469.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
index 91c47a8ec2..6acb7d8362 100644
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -1819,6 +1819,10 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx)
     extradata += 4;
 
     s->checksum_size = AV_RB32(extradata);
+    if (s->checksum_size >= 1U << 28) {
+        av_log(avctx, AV_LOG_ERROR, "data block size too large (%u)\n", s->checksum_size);
+        return AVERROR_INVALIDDATA;
+    }
 
     s->fft_order = av_log2(s->fft_size) + 1;
     s->fft_frame_size = 2 * s->fft_size; // complex has two floats
author	Alex Converse <alex.converse@gmail.com>	2012-01-25 15:27:11 -0800
committer	Reinhard Tartler <siretart@tauware.de>	2012-02-26 09:09:26 +0100
commit	e364f507183634a9134eea0e004c8ae448e54469 (patch)
tree	f4f47427a8412a2d5a33d7a4c65239d290f97339
parent	571a4cf273a84b6f7f38697b462e667d4f0fddc4 (diff)
download	ffmpeg-e364f507183634a9134eea0e004c8ae448e54469.tar.gz