From 4782c4284fa3856a9b6910fe5ff6e4fb1c65b58c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 Nov 2013 23:16:17 +0100 Subject: [PATCH] avcodec/ac3dec: check bap before use. Fixes out of array read Fixes assertion failure Fixes asan_static-oob_16431c0_8036_rio_bravo_mono_64_spx.ac3 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index 82345cd49d..2a5cee17ed 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -497,6 +497,10 @@ static void ac3_decode_transform_coeffs_ch(AC3DecodeContext *s, int ch_index, ma break; default: /* 6 to 15 */ /* Shift mantissa and sign-extend it. */ + if (bap > 15) { + av_log(s->avctx, AV_LOG_ERROR, "bap %d is invalid in plain AC-3\n", bap); + bap = 15; + } mantissa = get_sbits(gbc, quantization_tab[bap]); mantissa <<= 24 - quantization_tab[bap]; break;