alsdec: check opt_order.

Fixes out of array write in quant_cof Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2012-03-24 01:39:13 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2012-03-24 14:54:12 +0100
commit: 9d3032b960ae03066c008d6e6774f68b17a1d69d (patch)
tree: 59369d7b36fc814f83ad4e4415eebcb40d527fff /libavcodec/alsdec.c
parent: 2c0559d5e2faeafa7998173a4dc430408475503f (diff)
download: ffmpeg-9d3032b960ae03066c008d6e6774f68b17a1d69d.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
index 63e58ff55a..a9b04b8569 100644
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -663,6 +663,10 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
             int opt_order_length = av_ceil_log2(av_clip((bd->block_length >> 3) - 1,
                                                 2, sconf->max_order + 1));
             *bd->opt_order       = get_bits(gb, opt_order_length);
+            if (*bd->opt_order > sconf->max_order) {
+                av_log(avctx, AV_LOG_ERROR, "Order too large\n");
+                return -1;
+            }
         } else {
             *bd->opt_order = sconf->max_order;
         }
author	Michael Niedermayer <michaelni@gmx.at>	2012-03-24 01:39:13 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2012-03-24 14:54:12 +0100
commit	9d3032b960ae03066c008d6e6774f68b17a1d69d (patch)
tree	59369d7b36fc814f83ad4e4415eebcb40d527fff /libavcodec/alsdec.c
parent	2c0559d5e2faeafa7998173a4dc430408475503f (diff)
download	ffmpeg-9d3032b960ae03066c008d6e6774f68b17a1d69d.tar.gz