# HG changeset patch
# User alexc
# Date 1268126831 0
# Node ID d8c2170062ceafa21cd39a264bcc59cdd7b59de7
# Parent  1a7d902e33ace40b74c30cc68e69aa163c0ad969
aacsbr: Check for illegal values of bs_pointer in sbr_read_grid().

diff -r 1a7d902e33ac -r d8c2170062ce aacsbr.c
--- a/aacsbr.c	Tue Mar 09 08:20:11 2010 +0000
+++ b/aacsbr.c	Tue Mar 09 09:27:11 2010 +0000
@@ -628,6 +628,8 @@
         if (ch_data->bs_num_env[1] == 1)
             ch_data->bs_amp_res = 0;
 
+        ch_data->bs_pointer = 0;
+
         ch_data->bs_freq_res[1] = get_bits1(gb);
         for (i = 1; i < ch_data->bs_num_env[1]; i++)
             ch_data->bs_freq_res[i + 1] = ch_data->bs_freq_res[1];
@@ -675,6 +677,12 @@
         break;
     }
 
+    if (ch_data->bs_pointer > ch_data->bs_num_env[1] + 1) {
+        av_log(ac->avccontext, AV_LOG_ERROR,
+               "Invalid bitstream, bs_pointer points to a middle noise border outside the time borders table: %d\n",
+               ch_data->bs_pointer);
+        return -1;
+    }
     if (ch_data->bs_frame_class == FIXFIX && ch_data->bs_num_env[1] > 4) {
         av_log(ac->avccontext, AV_LOG_ERROR,
                "Invalid bitstream, too many SBR envelopes in FIXFIX type SBR frame: %d\n",