From: Michael Niedermayer <[email protected]> Add a check to avoid writing past the end of the channel_unit.components[] array.
Fixes CVE-2012-0853 Signed-off-by: Michael Niedermayer <[email protected]> Signed-off-by: Justin Ruggles <[email protected]> --- libavcodec/atrac3.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c index fd036e7..136b16c 100644 --- a/libavcodec/atrac3.c +++ b/libavcodec/atrac3.c @@ -402,6 +402,8 @@ static int decodeTonalComponents (GetBitContext *gb, tonal_component *pComponent for (k=0; k<coded_components; k++) { sfIndx = get_bits(gb,6); + if (component_count >= 64) + return AVERROR_INVALIDDATA; pComponent[component_count].pos = j * 64 + (get_bits(gb,6)); max_coded_values = SAMPLES_PER_FRAME - pComponent[component_count].pos; coded_values = coded_values_per_component + 1; -- 1.7.1 _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
