On Tue, 3 Sep 2013, Luca Barbato wrote:
On 03/09/13 13:22, Martin Storsjö wrote:
The code tries to decode a number of channels at the
offset given by the ff_alac_channel_layout_offsets table.
Even if the number of channels decoded so far doesn't
exceed the total number of channels, we need to check that
we actually can decode that number of channels at this offset
as well.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: [email protected]
---
libavcodec/alac.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libavcodec/alac.c b/libavcodec/alac.c
index d643dd3..41d1f77 100644
--- a/libavcodec/alac.c
+++ b/libavcodec/alac.c
@@ -418,7 +418,8 @@ static int alac_decode_frame(AVCodecContext *avctx, void
*data,
}
channels = (element == TYPE_CPE) ? 2 : 1;
- if (ch + channels > alac->channels) {
+ if (ch + channels > alac->channels ||
+ ff_alac_channel_layout_offsets[alac->channels - 1][ch] + channels >
alac->channels) {
av_log(avctx, AV_LOG_ERROR, "invalid element channel count\n");
return AVERROR_INVALIDDATA;
}
Do we test above that alac-> channels are > 0 ?
Yes, it's set and checked pretty rigourously with different fallbacks
between what's read from the bitstream and what the container set if the
bitstream values are insane, etc.
// Martin
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
