From 98ff07d1c647e3b413f4b2d00d70ec9e7a0c93ae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Jun 2014 22:13:39 +0200 Subject: [PATCH] avcodec/dcadec: Check dca_dmixtable index MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Found-by: Niels Möller Signed-off-by: Michael Niedermayer --- libavcodec/dcadec.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/dcadec.c b/libavcodec/dcadec.c index 9f6edc2e42..9847cf9842 100644 --- a/libavcodec/dcadec.c +++ b/libavcodec/dcadec.c @@ -601,6 +601,12 @@ static int dca_parse_audio_coding_header(DCAContext *s, int base_channel, if (get_bits1(&s->gb)) { embedded_downmix = get_bits1(&s->gb); coeff = get_bits(&s->gb, 6); + + if (coeff<1 || coeff>61) { + av_log(s->avctx, AV_LOG_ERROR, "6bit coeff %d is out of range\n", coeff); + return AVERROR_INVALIDDATA; + } + scale_factor = -1.0f / dca_dmix_code((coeff<<2)-3); s->xxch_dmix_sf[s->xxch_chset] = scale_factor; @@ -622,6 +628,10 @@ static int dca_parse_audio_coding_header(DCAContext *s, int base_channel, coeff = get_bits(&s->gb, 7); ichan = dca_xxch2index(s, 1 << i); + if ((coeff&63)<1 || (coeff&63)>61) { + av_log(s->avctx, AV_LOG_ERROR, "7bit coeff %d is out of range\n", coeff); + return AVERROR_INVALIDDATA; + } s->xxch_dmix_coeff[j][ichan] = dca_dmix_code((coeff<<2)-3); } }