From 7d74aaf6985e0f286e10c851e4d7e80fd687a774 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Mar 2012 15:16:47 +0200 Subject: [PATCH] qdm2dec: fix out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer --- libavcodec/qdm2.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 5da21d757d..91f50556dd 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -766,7 +766,7 @@ static void fill_coding_method_array (sb_int8_array tone_level_idx, sb_int8_arra * @param sb_min lower subband processed (sb_min included) * @param sb_max higher subband processed (sb_max excluded) */ -static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int length, int sb_min, int sb_max) +static int synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int length, int sb_min, int sb_max) { int sb, j, k, n, ch, run, channels; int joined_stereo, zero_encoding, chs; @@ -780,7 +780,7 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l for (sb=sb_min; sb < sb_max; sb++) build_sb_samples_from_noise (q, sb); - return; + return 0; } for (sb = sb_min; sb < sb_max; sb++) { @@ -900,7 +900,10 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l type34_predictor = samples[0]; type34_first = 0; } else { - samples[0] = type34_delta[qdm2_get_vlc(gb, &vlc_tab_type34, 0, 1)] / type34_div + type34_predictor; + unsigned v = qdm2_get_vlc(gb, &vlc_tab_type34, 0, 1); + if (v >= FF_ARRAY_ELEMS(type34_delta)) + return AVERROR_INVALIDDATA; + samples[0] = type34_delta[v] / type34_div + type34_predictor; type34_predictor = samples[0]; } } else { @@ -936,6 +939,7 @@ static void synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int l } // j loop } // channel loop } // subband loop + return 0; }