Fix crash when max_ref_frames was out of range.

This might have been exploitable.
Fixes first crash of issue840.

git-svn-id: file:///var/local/repositories/ffmpeg/trunk@18388 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b

diff --git a/libavcodec/snow.c b/libavcodec/snow.c
index a8de940949f2a01e0eb8719f1dba06d94dc0f2ef..921010eaf04952010a556fb06f2da1326df19957 100644 (file)
--- a/libavcodec/snow.c
+++ b/libavcodec/snow.c
@@ -3554,7 +3554,7 @@ static void decode_qlogs(SnowContext *s){
 }
 
 static int decode_header(SnowContext *s){
-    int plane_index;
+    int plane_index, tmp;
     uint8_t kstate[32];
 
     memset(kstate, MID_STATE, sizeof(kstate));
@@ -3583,7 +3583,12 @@ static int decode_header(SnowContext *s){
         s->chroma_v_shift= get_symbol(&s->c, s->header_state, 0);
         s->spatial_scalability= get_rac(&s->c, s->header_state);
 //        s->rate_scalability= get_rac(&s->c, s->header_state);
-        s->max_ref_frames= get_symbol(&s->c, s->header_state, 0)+1;
+        tmp= get_symbol(&s->c, s->header_state, 0)+1;
+        if(tmp < 1 || tmp > MAX_REF_FRAMES){
+            av_log(s->avctx, AV_LOG_ERROR, "reference frame count is %d\n", tmp);
+            return -1;
+        }
+        s->max_ref_frames= tmp;
 
         decode_qlogs(s);
     }
@@ -3649,6 +3654,7 @@ static av_cold int common_init(AVCodecContext *avctx){
     int i, j;
 
     s->avctx= avctx;
+    s->max_ref_frames=1; //just make sure its not an invalid value in case of no initial keyframe
 
     dsputil_init(&s->dsp, avctx);