From b21ba20cc83c80fe56192fee3626a8087f37d806 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Apr 2012 03:47:53 +0200 Subject: [PATCH] wmaprodec: tighter check for num_vec_coeffs Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 8e7ef4cabd..8ed87f5e75 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1166,6 +1166,7 @@ static int decode_subframe(WMAProDecodeCtx *s) transmit_coeffs = 1; } + av_assert0(s->subframe_len <= WMAPRO_BLOCK_MAX_SIZE); if (transmit_coeffs) { int step; int quant_step = 90 * s->bits_per_sample >> 4; @@ -1176,7 +1177,7 @@ static int decode_subframe(WMAProDecodeCtx *s) for (i = 0; i < s->channels_for_cur_subframe; i++) { int c = s->channel_indexes_for_cur_subframe[i]; int num_vec_coeffs = get_bits(&s->gb, num_bits) << 2; - if (num_vec_coeffs > WMAPRO_BLOCK_MAX_SIZE) { + if (num_vec_coeffs > s->subframe_len) { av_log(s->avctx, AV_LOG_ERROR, "num_vec_coeffs %d is too large\n", num_vec_coeffs); return AVERROR_INVALIDDATA; }