diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2013-03-06 05:04:15 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2013-03-06 05:04:39 +0100 |
| commit | a3541896c6f443177a4f715cd71d1bff7ba8f380 (patch) | |
| tree | d15457260bfeeed576756d780fdff487b047ff55 /libavcodec/qdm2.c | |
| parent | 5c8ffbaa7fe7ccba78ffe056d943910400af9508 (diff) | |
| download | ffmpeg-a3541896c6f443177a4f715cd71d1bff7ba8f380.tar.gz | |
qdm2: check "AC" codewords
Fixes out of array reads
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/qdm2.c')
| -rw-r--r-- | libavcodec/qdm2.c | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 283d8e6b0e..7136cf1c23 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -824,6 +824,11 @@ static int synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int le } } else { n = get_bits(gb, 8); + if (n >= 243) { + av_log(NULL, AV_LOG_ERROR, "Invalid 8bit codeword\n"); + return AVERROR_INVALIDDATA; + } + for (k = 0; k < 5; k++) samples[2 * k] = dequant_1bit[joined_stereo][random_dequant_index[n][k]]; } @@ -860,6 +865,11 @@ static int synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int le } } else { n = get_bits (gb, 8); + if (n >= 243) { + av_log(NULL, AV_LOG_ERROR, "Invalid 8bit codeword\n"); + return AVERROR_INVALIDDATA; + } + for (k = 0; k < 5; k++) samples[k] = dequant_1bit[joined_stereo][random_dequant_index[n][k]]; } @@ -873,6 +883,11 @@ static int synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int le case 24: if (get_bits_left(gb) >= 7) { n = get_bits(gb, 7); + if (n >= 125) { + av_log(NULL, AV_LOG_ERROR, "Invalid 7bit codeword\n"); + return AVERROR_INVALIDDATA; + } + for (k = 0; k < 3; k++) samples[k] = (random_dequant_type24[n][k] - 2.0) * 0.5; } else { |