On 03/09/13 13:22, Martin Storsjö wrote: > The code tries to decode a number of channels at the > offset given by the ff_alac_channel_layout_offsets table. > Even if the number of channels decoded so far doesn't > exceed the total number of channels, we need to check that > we actually can decode that number of channels at this offset > as well. > > Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind > CC: [email protected] > --- > libavcodec/alac.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/libavcodec/alac.c b/libavcodec/alac.c > index d643dd3..41d1f77 100644 > --- a/libavcodec/alac.c > +++ b/libavcodec/alac.c > @@ -418,7 +418,8 @@ static int alac_decode_frame(AVCodecContext *avctx, void > *data, > } > > channels = (element == TYPE_CPE) ? 2 : 1; > - if (ch + channels > alac->channels) { > + if (ch + channels > alac->channels || > + ff_alac_channel_layout_offsets[alac->channels - 1][ch] + > channels > alac->channels) { > av_log(avctx, AV_LOG_ERROR, "invalid element channel count\n"); > return AVERROR_INVALIDDATA; > }
Do we test above that alac-> channels are > 0 ? lu _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
