aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec
diff options
context:
space:
mode:
authorAlex Converse <alex.converse@gmail.com>2012-01-25 15:27:11 -0800
committerMichael Niedermayer <michaelni@gmx.at>2012-01-26 22:28:25 +0100
commita8ae00b68cb9895f4a819950dbc740bc8fc7c1e1 (patch)
tree10eb7b6831180076ffea33564366a4b4e2479afa /libavcodec
parentb9e79a3f4e428e54ff51febc94bdbbf0802d47e1 (diff)
downloadffmpeg-a8ae00b68cb9895f4a819950dbc740bc8fc7c1e1.tar.gz
qdm2: Check data block size for bytes to bits overflow.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit dac56d9ce01eb9963f28f26b97a81db5cbd46c1c) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
-rw-r--r--libavcodec/qdm2.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
index 0eca7ade21..5da21d757d 100644
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -1819,6 +1819,10 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx)
extradata += 4;
s->checksum_size = AV_RB32(extradata);
+ if (s->checksum_size >= 1U << 28) {
+ av_log(avctx, AV_LOG_ERROR, "data block size too large (%u)\n", s->checksum_size);
+ return AVERROR_INVALIDDATA;
+ }
s->fft_order = av_log2(s->fft_size) + 1;
s->fft_frame_size = 2 * s->fft_size; // complex has two floats