avcodec/dcadec: Check active_bands
authorMichael Niedermayer <michaelni@gmx.at>
Fri, 15 May 2015 16:29:40 +0000 (18:29 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Thu, 21 May 2015 18:43:39 +0000 (20:43 +0200)
Fixes CID1297594 part2

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fc624ec9ba7e5c4e8d905ac10f605a43d123f95a)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/dcadec.c

index b2e5c7f..907e49b 100644 (file)
@@ -1823,8 +1823,13 @@ static int dca_xbr_parse_frame(DCAContext *s)
     for(i = 0; i < num_chsets; i++) {
         n_xbr_ch[i] = get_bits(&s->gb, 3) + 1;
         k = get_bits(&s->gb, 2) + 5;
-        for(j = 0; j < n_xbr_ch[i]; j++)
+        for(j = 0; j < n_xbr_ch[i]; j++) {
             active_bands[i][j] = get_bits(&s->gb, k) + 1;
+            if (active_bands[i][j] > DCA_SUBBANDS) {
+                av_log(s->avctx, AV_LOG_ERROR, "too many active subbands (%d)\n", active_bands[i][j]);
+                return AVERROR_INVALIDDATA;
+            }
+        }
     }
 
     /* skip to the end of the header */