From a3541896c6f443177a4f715cd71d1bff7ba8f380 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 6 Mar 2013 05:04:15 +0100 Subject: [PATCH] qdm2: check "AC" codewords Fixes out of array reads Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer --- libavcodec/qdm2.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 283d8e6b0e..7136cf1c23 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -824,6 +824,11 @@ static int synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int le } } else { n = get_bits(gb, 8); + if (n >= 243) { + av_log(NULL, AV_LOG_ERROR, "Invalid 8bit codeword\n"); + return AVERROR_INVALIDDATA; + } + for (k = 0; k < 5; k++) samples[2 * k] = dequant_1bit[joined_stereo][random_dequant_index[n][k]]; } @@ -860,6 +865,11 @@ static int synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int le } } else { n = get_bits (gb, 8); + if (n >= 243) { + av_log(NULL, AV_LOG_ERROR, "Invalid 8bit codeword\n"); + return AVERROR_INVALIDDATA; + } + for (k = 0; k < 5; k++) samples[k] = dequant_1bit[joined_stereo][random_dequant_index[n][k]]; } @@ -873,6 +883,11 @@ static int synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int le case 24: if (get_bits_left(gb) >= 7) { n = get_bits(gb, 7); + if (n >= 125) { + av_log(NULL, AV_LOG_ERROR, "Invalid 7bit codeword\n"); + return AVERROR_INVALIDDATA; + } + for (k = 0; k < 3; k++) samples[k] = (random_dequant_type24[n][k] - 2.0) * 0.5; } else {