avcodec/ac3dec: check bap before use.
authorMichael Niedermayer <michaelni@gmx.at>
Mon, 25 Nov 2013 22:16:17 +0000 (23:16 +0100)
committerMichael Niedermayer <michaelni@gmx.at>
Tue, 7 Jan 2014 23:23:23 +0000 (00:23 +0100)
Fixes out of array read
Fixes assertion failure
Fixes asan_static-oob_16431c0_8036_rio_bravo_mono_64_spx.ac3

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4782c4284fa3856a9b6910fe5ff6e4fb1c65b58c)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/ac3dec.c

index f91ded0..2acd209 100644 (file)
@@ -488,6 +488,10 @@ static void ac3_decode_transform_coeffs_ch(AC3DecodeContext *s, int ch_index, ma
             break;
         default: /* 6 to 15 */
             /* Shift mantissa and sign-extend it. */
+            if (bap > 15) {
+                av_log(s->avctx, AV_LOG_ERROR, "bap %d is invalid in plain AC-3\n", bap);
+                bap = 15;
+            }
             mantissa = get_sbits(gbc, quantization_tab[bap]);
             mantissa <<= 24 - quantization_tab[bap];
             break;