mlpdec: Validate num_primitive_matrices.

Originally committed as revision 18650 to svn://svn.ffmpeg.org/ffmpeg/trunk

diff --git a/libavcodec/mlp.h b/libavcodec/mlp.h
index 910d819..f4bb924 100644 (file)
--- a/libavcodec/mlp.h
+++ b/libavcodec/mlp.h
@@ -35,6 +35,8 @@
 /** Maximum number of matrices used in decoding; most streams have one matrix
  *  per output channel, but some rematrix a channel (usually 0) more than once.
  */
+#define MAX_MATRICES_MLP            6
+#define MAX_MATRICES_TRUEHD         8
 #define MAX_MATRICES        15
 
 /** Maximum number of substreams that can be decoded.

diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c
index 540d2ed..813be18 100644 (file)
--- a/libavcodec/mlpdec.c
+++ b/libavcodec/mlpdec.c
@@ -527,6 +527,9 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo
 {
     SubStream *s = &m->substream[substr];
     unsigned int mat, ch;
+    const int max_primitive_matrices = m->avctx->codec_id == CODEC_ID_MLP
+                                     ? MAX_MATRICES_MLP
+                                     : MAX_MATRICES_TRUEHD;
 
     if (m->matrix_changed++ > 1) {
         av_log(m->avctx, AV_LOG_ERROR, "Matrices may change only once per access unit.\n");
@@ -535,6 +538,13 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo
 
     s->num_primitive_matrices = get_bits(gbp, 4);
 
+    if (s->num_primitive_matrices > max_primitive_matrices) {
+        av_log(m->avctx, AV_LOG_ERROR,
+               "Number of primitive matrices cannot be greater than %d.\n",
+               max_primitive_matrices);
+        return -1;
+    }
+
     for (mat = 0; mat < s->num_primitive_matrices; mat++) {
         int frac_bits, max_chan;
         s->matrix_out_ch[mat] = get_bits(gbp, 4);