Fixes out of array write in quant_cof.
Also make sure no invalid opt_order stays in the context.
Fixes CVE-2012-2775
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
int opt_order_length = av_ceil_log2(av_clip((bd->block_length >> 3) - 1,
2, sconf->max_order + 1));
*bd->opt_order = get_bits(gb, opt_order_length);
+ if (*bd->opt_order > sconf->max_order) {
+ *bd->opt_order = sconf->max_order;
+ av_log(avctx, AV_LOG_ERROR, "Predictor order too large!\n");
+ return AVERROR_INVALIDDATA;
+ }
} else {
*bd->opt_order = sconf->max_order;
}