avcodec/apedec: Check length in long_filter_high_3800()
authorMichael Niedermayer <michael@niedermayer.cc>
Wed, 2 Dec 2015 20:16:27 +0000 (21:16 +0100)
committerMichael Niedermayer <michael@niedermayer.cc>
Sun, 6 Dec 2015 01:51:27 +0000 (02:51 +0100)
Fixes out of array read
Fixes: 0a7ff0c1d93da9cef28a315ec91b692a/asan_heap-oob_4a52e5_3604_9c56dbb20e308f4faeef7b35f688521a.ape

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cd7524fdd13dc8d0cf22e2cfd8300a245542b13a)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/apedec.c

index 5536e0f..c6eae55 100644 (file)
@@ -892,6 +892,9 @@ static void long_filter_high_3800(int32_t *buffer, int order, int shift, int len
     int32_t dotprod, sign;
     int32_t coeffs[256], delay[256];
 
+    if (order >= length)
+        return;
+
     memset(coeffs, 0, order * sizeof(*coeffs));
     for (i = 0; i < order; i++)
         delay[i] = buffer[i];