[FFmpeg-devel] [PATCH] cook: check that category is smaller than 8

[Michael Niedermayer]

This fixes some out of global array accesses.
I do not know if such category values are invalid or mean
something that we do not support.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
---
 libavcodec/cook.c |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

diff --git a/libavcodec/cook.c b/libavcodec/cook.c
index 4e3c920..c9b2cd4 100644
--- a/libavcodec/cook.c
+++ b/libavcodec/cook.c
@@ -647,7 +647,7 @@ static int mono_decode(COOKContext *q, COOKSubpacket *p, float *mlt_buffer)
     int category_index[128];
     int quant_index_table[102];
     int category[128];
-    int ret;
+    int ret, i;
 
     memset(&category,       0, sizeof(category));
     memset(&category_index, 0, sizeof(category_index));
@@ -657,6 +657,12 @@ static int mono_decode(COOKContext *q, COOKSubpacket *p, float *mlt_buffer)
     q->num_vectors = get_bits(&q->gb, p->log2_numvector_size);
     categorize(q, p, quant_index_table, category, category_index);
     expand_category(q, category, category_index);
+    for (i=0; i<p->total_subbands; i++) {
+        if (category[i] > 7) {
+            av_log_ask_for_sample(q->avctx, "category greater than 7\n");
+            return -1;
+        }
+    }
     decode_vectors(q, p, category, quant_index_table, mlt_buffer);
 
     return 0;
-- 
1.7.5.4