From fe91becc2dcf32fc4bc56b00b4533d34ec3d27f5 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Mon, 26 Mar 2012 15:26:14 +0200
Subject: [PATCH] qdm2: fix out of array read

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/qdm2.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
index 91f50556dd..3868473828 100644
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -884,9 +884,12 @@ static int synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int le
                         break;
 
                     case 30:
-                        if (BITS_LEFT(length,gb) >= 4)
-                            samples[0] = type30_dequant[qdm2_get_vlc(gb, &vlc_tab_type30, 0, 1)];
-                        else
+                        if (BITS_LEFT(length,gb) >= 4) {
+                            unsigned v = qdm2_get_vlc(gb, &vlc_tab_type30, 0, 1);
+                            if (v >= FF_ARRAY_ELEMS(type30_dequant))
+                                return AVERROR_INVALIDDATA;
+                            samples[0] = type30_dequant[v];
+                        } else
                             samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx);
 
                         run = 1;