[libav-commits] qdm2: clip array indices returned by qdm2_get_vlc().

Sat, 02 Jun 2012 19:47:53 -0700 

Module: libav
Branch: release/0.5
Commit: ae6c57859cc0a5aaed7fcb14da63c58086c46e64

Author:    Ronald S. Bultje <[email protected]>
Committer: Derek Buitenhuis <[email protected]>
Date:      Wed May  2 16:12:46 2012 +0000

qdm2: clip array indices returned by qdm2_get_vlc().

Prevents subsequent overreads when these numbers are used as indices
in arrays.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: [email protected]

Signed-off-by: Justin Ruggles <[email protected]>
(cherry picked from commit 64953f67f98da2e787aeb45cc7f504390fa32a69)
Signed-off-by: Derek Buitenhuis <[email protected]>

Conflicts:

        libavcodec/qdm2.c

---

 libavcodec/qdm2.c |   18 +++++++++++++-----
 1 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
index 0a48402..79aa256 100644
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -905,9 +905,13 @@ static void synthfilt_build_sb_samples (QDM2Context *q, 
GetBitContext *gb, int l
                         break;
 
                     case 30:
-                        if (BITS_LEFT(length,gb) >= 4)
-                            samples[0] = type30_dequant[qdm2_get_vlc(gb, 
&vlc_tab_type30, 0, 1)];
-                        else
+                        if (BITS_LEFT(length,gb) >= 4) {
+                            unsigned index = qdm2_get_vlc(gb, &vlc_tab_type30, 
0, 1);
+                            if (index < FF_ARRAY_ELEMS(type30_dequant)) {
+                                samples[0] = type30_dequant[index];
+                            } else
+                                samples[0] = 
SB_DITHERING_NOISE(sb,q->noise_idx);
+                        } else
                             samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx);
 
                         run = 1;
@@ -921,8 +925,12 @@ static void synthfilt_build_sb_samples (QDM2Context *q, 
GetBitContext *gb, int l
                                 type34_predictor = samples[0];
                                 type34_first = 0;
                             } else {
-                                samples[0] = type34_delta[qdm2_get_vlc(gb, 
&vlc_tab_type34, 0, 1)] / type34_div + type34_predictor;
-                                type34_predictor = samples[0];
+                                unsigned index = qdm2_get_vlc(gb, 
&vlc_tab_type34, 0, 1);
+                                if (index < FF_ARRAY_ELEMS(type34_delta)) {
+                                    samples[0] = type34_delta[index] / 
type34_div + type34_predictor;
+                                    type34_predictor = samples[0];
+                                } else
+                                    samples[0] = 
SB_DITHERING_NOISE(sb,q->noise_idx);
                             }
                         } else {
                             samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx);

_______________________________________________
libav-commits mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-commits

Reply via email to