From b5f628e227743fc1725a28b5b21f538a40efca82 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Tue, 23 Oct 2012 13:17:50 -0400 Subject: [PATCH] twinvq: validate sample rate code A large invalid value could cause undefined behavior when left-shifted by 8 later in the function. --- libavcodec/twinvq.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/twinvq.c b/libavcodec/twinvq.c index 3159e498e7..7af370ee5a 100644 --- a/libavcodec/twinvq.c +++ b/libavcodec/twinvq.c @@ -1120,6 +1120,11 @@ static av_cold int twin_decode_init(AVCodecContext *avctx) avctx->channels = AV_RB32(avctx->extradata ) + 1; avctx->bit_rate = AV_RB32(avctx->extradata + 4) * 1000; isampf = AV_RB32(avctx->extradata + 8); + + if (isampf < 8 || isampf > 44) { + av_log(avctx, AV_LOG_ERROR, "Unsupported sample rate\n"); + return AVERROR_INVALIDDATA; + } switch (isampf) { case 44: avctx->sample_rate = 44100; break; case 22: avctx->sample_rate = 22050; break;