# HG changeset patch
# User jbr
# Date 1228577783 0
# Node ID 4dd63fc58a8743036ecfa8583c2686a014b9ed34
# Parent  ebbdbb35a0cfd8fe0101bc3bf9cc853d1e33dafd
ac3dec: detect out-of-range exponents

diff -r ebbdbb35a0cf -r 4dd63fc58a87 ac3dec.c
--- a/ac3dec.c	Sat Dec 06 13:42:00 2008 +0000
+++ b/ac3dec.c	Sat Dec 06 15:36:23 2008 +0000
@@ -372,7 +372,7 @@
  * Decode the grouped exponents according to exponent strategy.
  * reference: Section 7.1.3 Exponent Decoding
  */
-static void decode_exponents(GetBitContext *gbc, int exp_strategy, int ngrps,
+static int decode_exponents(GetBitContext *gbc, int exp_strategy, int ngrps,
                              uint8_t absexp, int8_t *dexps)
 {
     int i, j, grp, group_size;
@@ -391,11 +391,14 @@
     /* convert to absolute exps and expand groups */
     prevexp = absexp;
     for(i=0; i<ngrps*3; i++) {
-        prevexp = av_clip(prevexp + dexp[i]-2, 0, 24);
+        prevexp += dexp[i] - 2;
+        if (prevexp < 0 || prevexp > 24)
+            return -1;
         for(j=0; j<group_size; j++) {
             dexps[(i*group_size)+j] = prevexp;
         }
     }
+    return 0;
 }
 
 /**
@@ -989,9 +992,12 @@
     for (ch = !cpl_in_use; ch <= s->channels; ch++) {
         if (s->exp_strategy[blk][ch] != EXP_REUSE) {
             s->dexps[ch][0] = get_bits(gbc, 4) << !ch;
-            decode_exponents(gbc, s->exp_strategy[blk][ch],
+            if (decode_exponents(gbc, s->exp_strategy[blk][ch],
                              s->num_exp_groups[ch], s->dexps[ch][0],
-                             &s->dexps[ch][s->start_freq[ch]+!!ch]);
+                             &s->dexps[ch][s->start_freq[ch]+!!ch])) {
+                av_log(s->avctx, AV_LOG_ERROR, "exponent out-of-range\n");
+                return -1;
+            }
             if(ch != CPL_CH && ch != s->lfe_ch)
                 skip_bits(gbc, 2); /* skip gainrng */
         }