alsdec: check opt_order.

Fixes out of array write in quant_cof. Also make sure no invalid opt_order stays in the context. Fixes CVE-2012-2775 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>

alsdec: check opt_order.
Fixes out of array write in quant_cof. Also make sure no invalid opt_order stays in the context. Fixes CVE-2012-2775 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
9853e41a · Michael Niedermayer · Justin Ruggles · 23aae62c · 9853e41a
Commit 9853e41a authored Mar 24, 2012 by Michael Niedermayer Committed by Justin Ruggles Sep 17, 2012
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 0 deletions

alsdec.c libavcodec/alsdec.c +5 -0

No files found.
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -668,6 +668,11 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
            int opt_order_length = av_ceil_log2(av_clip((bd->block_length >> 3) - 1,
                                                2, sconf->max_order + 1));
            *bd->opt_order       = get_bits(gb, opt_order_length);
+            if (*bd->opt_order > sconf->max_order) {
+                *bd->opt_order = sconf->max_order;
+                av_log(avctx, AV_LOG_ERROR, "Predictor order too large!\n");
+                return AVERROR_INVALIDDATA;
+            }
        } else {
            *bd->opt_order = sconf->max_order;
        }