[FFmpeg-cvslog] avcodec/dcadec: Check scale table index

Michael Niedermayer git at videolan.org
Fri May 15 20:32:47 CEST 2015


ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Fri May 15 18:04:12 2015 +0200| [0f3e6959bfa67d12cd5a173b86eb15abd7d9e4d5] | committer: Michael Niedermayer

avcodec/dcadec: Check scale table index

Fixes CID1297594 part 1

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0f3e6959bfa67d12cd5a173b86eb15abd7d9e4d5
---

 libavcodec/dcadec.c |   19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/libavcodec/dcadec.c b/libavcodec/dcadec.c
index 77c3737..25b426d 100644
--- a/libavcodec/dcadec.c
+++ b/libavcodec/dcadec.c
@@ -1285,23 +1285,34 @@ int ff_dca_xbr_parse_frame(DCAContext *s)
                 for(i = 0; i < n_xbr_ch[chset]; i++) {
                     const uint32_t *scale_table;
                     int nbits;
+                    int scale_table_size;
 
                     if (s->scalefactor_huffman[chan_base+i] == 6) {
                         scale_table = ff_dca_scale_factor_quant7;
+                        scale_table_size = FF_ARRAY_ELEMS(ff_dca_scale_factor_quant7);
                     } else {
                         scale_table = ff_dca_scale_factor_quant6;
+                        scale_table_size = FF_ARRAY_ELEMS(ff_dca_scale_factor_quant6);
                     }
 
                     nbits = anctemp[i];
 
                     for(j = 0; j < active_bands[chset][i]; j++) {
                         if(abits_high[i][j] > 0) {
-                            scale_table_high[i][j][0] =
-                                scale_table[get_bits(&s->gb, nbits)];
+                            int index = get_bits(&s->gb, nbits);
+                            if (index >= scale_table_size) {
+                                av_log(s->avctx, AV_LOG_ERROR, "scale table index %d invalid\n", index);
+                                return AVERROR_INVALIDDATA;
+                            }
+                            scale_table_high[i][j][0] = scale_table[index];
 
                             if(xbr_tmode && s->transition_mode[i][j]) {
-                                scale_table_high[i][j][1] =
-                                    scale_table[get_bits(&s->gb, nbits)];
+                                int index = get_bits(&s->gb, nbits);
+                                if (index >= scale_table_size) {
+                                    av_log(s->avctx, AV_LOG_ERROR, "scale table index %d invalid\n", index);
+                                    return AVERROR_INVALIDDATA;
+                                }
+                                scale_table_high[i][j][1] = scale_table[index];
                             }
                         }
                     }



More information about the ffmpeg-cvslog mailing list