From 309616b2490d5504fe95fc0d71d2001a5ac27768 Mon Sep 17 00:00:00 2001
From: Ramiro Polla <ramiro.polla@gmail.com>
Date: Tue, 21 Apr 2009 22:32:50 +0000
Subject: [PATCH] mlpdec: Validate num_primitive_matrices.
Originally committed as revision 18650 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
libavcodec/mlp.h | 2 ++
libavcodec/mlpdec.c | 10 ++++++++++
2 files changed, 12 insertions(+)
diff --git a/libavcodec/mlp.h b/libavcodec/mlp.h
index 910d819cd99..f4bb9246e34 100644
--- a/libavcodec/mlp.h
+++ b/libavcodec/mlp.h
@@ -35,6 +35,8 @@
/** Maximum number of matrices used in decoding; most streams have one matrix
* per output channel, but some rematrix a channel (usually 0) more than once.
*/
+#define MAX_MATRICES_MLP 6
+#define MAX_MATRICES_TRUEHD 8
#define MAX_MATRICES 15
/** Maximum number of substreams that can be decoded.
diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c
index 540d2ed8335..813be18b93c 100644
--- a/libavcodec/mlpdec.c
+++ b/libavcodec/mlpdec.c
@@ -527,6 +527,9 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo
{
SubStream *s = &m->substream[substr];
unsigned int mat, ch;
+ const int max_primitive_matrices = m->avctx->codec_id == CODEC_ID_MLP
+ ? MAX_MATRICES_MLP
+ : MAX_MATRICES_TRUEHD;
if (m->matrix_changed++ > 1) {
av_log(m->avctx, AV_LOG_ERROR, "Matrices may change only once per access unit.\n");
@@ -535,6 +538,13 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo
s->num_primitive_matrices = get_bits(gbp, 4);
+ if (s->num_primitive_matrices > max_primitive_matrices) {
+ av_log(m->avctx, AV_LOG_ERROR,
+ "Number of primitive matrices cannot be greater than %d.\n",
+ max_primitive_matrices);
+ return -1;
+ }
+
for (mat = 0; mat < s->num_primitive_matrices; mat++) {
int frac_bits, max_chan;
s->matrix_out_ch[mat] = get_bits(gbp, 4);
--
GitLab