From a974adc3c78c4bcf62dd2a10ff1ae8eae6fa29ef Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Fri, 14 Dec 2012 01:12:56 +0100
Subject: g729dec: check pitch_delay_int.

Fix out of array read

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/g729dec.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'libavcodec/g729dec.c')

diff --git a/libavcodec/g729dec.c b/libavcodec/g729dec.c
index b44120f..db3f013 100644
--- a/libavcodec/g729dec.c
+++ b/libavcodec/g729dec.c
@@ -510,6 +510,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr,
 
         /* Round pitch delay to nearest (used everywhere except ff_acelp_interpolate). */
         pitch_delay_int[i]  = (pitch_delay_3x + 1) / 3;
+        if (pitch_delay_int[i] > PITCH_DELAY_MAX) {
+            av_log(avctx, AV_LOG_WARNING, "pitch_delay_int %d is too large\n", pitch_delay_int[i]);
+            pitch_delay_int[i] = PITCH_DELAY_MAX;
+        }
 
         if (frame_erasure) {
             ctx->rand_value = g729_prng(ctx->rand_value);
-- 
cgit v1.1