diff options
author | Alex Converse <alex.converse@gmail.com> | 2012-01-25 15:27:11 -0800 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2012-01-26 22:28:25 +0100 |
commit | a8ae00b68cb9895f4a819950dbc740bc8fc7c1e1 (patch) | |
tree | 10eb7b6831180076ffea33564366a4b4e2479afa /libavcodec | |
parent | b9e79a3f4e428e54ff51febc94bdbbf0802d47e1 (diff) | |
download | ffmpeg-a8ae00b68cb9895f4a819950dbc740bc8fc7c1e1.tar.gz |
qdm2: Check data block size for bytes to bits overflow.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit dac56d9ce01eb9963f28f26b97a81db5cbd46c1c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
-rw-r--r-- | libavcodec/qdm2.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 0eca7ade21..5da21d757d 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1819,6 +1819,10 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) extradata += 4; s->checksum_size = AV_RB32(extradata); + if (s->checksum_size >= 1U << 28) { + av_log(avctx, AV_LOG_ERROR, "data block size too large (%u)\n", s->checksum_size); + return AVERROR_INVALIDDATA; + } s->fft_order = av_log2(s->fft_size) + 1; s->fft_frame_size = 2 * s->fft_size; // complex has two floats |