[FFmpeg-cvslog] qdm2: fix out of array read

[Michael Niedermayer]

ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Mon Mar 26 15:26:14 2012 +0200| [fe91becc2dcf32fc4bc56b00b4533d34ec3d27f5] | committer: Michael Niedermayer

qdm2: fix out of array read

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fe91becc2dcf32fc4bc56b00b4533d34ec3d27f5
---

 libavcodec/qdm2.c |    9 ++++++---
 1 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
index 91f5055..3868473 100644
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -884,9 +884,12 @@ static int synthfilt_build_sb_samples (QDM2Context *q, GetBitContext *gb, int le
                         break;
 
                     case 30:
-                        if (BITS_LEFT(length,gb) >= 4)
-                            samples[0] = type30_dequant[qdm2_get_vlc(gb, &vlc_tab_type30, 0, 1)];
-                        else
+                        if (BITS_LEFT(length,gb) >= 4) {
+                            unsigned v = qdm2_get_vlc(gb, &vlc_tab_type30, 0, 1);
+                            if (v >= FF_ARRAY_ELEMS(type30_dequant))
+                                return AVERROR_INVALIDDATA;
+                            samples[0] = type30_dequant[v];
+                        } else
                             samples[0] = SB_DITHERING_NOISE(sb,q->noise_idx);
 
                         run = 1;