[FFmpeg-cvslog] dca: Check scale_sum.

Michael Niedermayer git at videolan.org
Wed Feb 29 21:51:27 CET 2012 

ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Wed Feb 29 20:47:47 2012 +0100| [51db9a97e9edde4c80218d194731e187ea7dcba8] | committer: Michael Niedermayer

dca: Check scale_sum.

Fixes a out of array read.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=51db9a97e9edde4c80218d194731e187ea7dcba8
---

 libavcodec/dca.c |   16 ++++++++++++++--
 1 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/libavcodec/dca.c b/libavcodec/dca.c
index 562eb94..33e4120 100644
--- a/libavcodec/dca.c
+++ b/libavcodec/dca.c
@@ -717,15 +717,19 @@ static int dca_subframe_header(DCAContext *s, int base_channel, int block_index)
 
     for (j = base_channel; j < s->prim_channels; j++) {
         const uint32_t *scale_table;
+        unsigned int scale_max;
         int scale_sum;
 
         memset(s->scale_factor[j], 0,
                s->subband_activity[j] * sizeof(s->scale_factor[0][0][0]) * 2);
 
-        if (s->scalefactor_huffman[j] == 6)
+        if (s->scalefactor_huffman[j] == 6) {
             scale_table = scale_factor_quant7;
-        else
+            scale_max   = 127;
+        } else {
             scale_table = scale_factor_quant6;
+            scale_max   = 63;
+        }
 
         /* When huffman coded, only the difference is encoded */
         scale_sum = 0;
@@ -733,12 +737,20 @@ static int dca_subframe_header(DCAContext *s, int base_channel, int block_index)
         for (k = 0; k < s->subband_activity[j]; k++) {
             if (k >= s->vq_start_subband[j] || s->bitalloc[j][k] > 0) {
                 scale_sum = get_scale(&s->gb, s->scalefactor_huffman[j], scale_sum);
+                if (scale_sum > scale_max) {
+                    av_log(s->avctx, AV_LOG_ERROR, "scale_sum out of range\n");
+                    return AVERROR_INVALIDDATA;
+                }
                 s->scale_factor[j][k][0] = scale_table[scale_sum];
             }
 
             if (k < s->vq_start_subband[j] && s->transition_mode[j][k]) {
                 /* Get second scale factor */
                 scale_sum = get_scale(&s->gb, s->scalefactor_huffman[j], scale_sum);
+                if (scale_sum > scale_max) {
+                    av_log(s->avctx, AV_LOG_ERROR, "scale_sum out of range\n");
+                    return AVERROR_INVALIDDATA;
+                }
                 s->scale_factor[j][k][1] = scale_table[scale_sum];
             }
         }

More information about the ffmpeg-cvslog mailing list