On 03/09/13 14:14, Martin Storsjö wrote: > On Tue, 3 Sep 2013, Luca Barbato wrote: > >> On 03/09/13 13:22, Martin Storsjö wrote: >>> The code tries to decode a number of channels at the >>> offset given by the ff_alac_channel_layout_offsets table. >>> Even if the number of channels decoded so far doesn't >>> exceed the total number of channels, we need to check that >>> we actually can decode that number of channels at this offset >>> as well. >>> >>> Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind >>> CC: [email protected] >>> --- >>> libavcodec/alac.c | 3 ++- >>> 1 file changed, 2 insertions(+), 1 deletion(-) >>> >>> diff --git a/libavcodec/alac.c b/libavcodec/alac.c >>> index d643dd3..41d1f77 100644 >>> --- a/libavcodec/alac.c >>> +++ b/libavcodec/alac.c >>> @@ -418,7 +418,8 @@ static int alac_decode_frame(AVCodecContext >>> *avctx, void *data, >>> } >>> >>> channels = (element == TYPE_CPE) ? 2 : 1; >>> - if (ch + channels > alac->channels) { >>> + if (ch + channels > alac->channels || >>> + ff_alac_channel_layout_offsets[alac->channels - 1][ch] + >>> channels > alac->channels) { >>> av_log(avctx, AV_LOG_ERROR, "invalid element channel >>> count\n"); >>> return AVERROR_INVALIDDATA; >>> } >> >> Do we test above that alac-> channels are > 0 ? > > Yes, it's set and checked pretty rigourously with different fallbacks > between what's read from the bitstream and what the container set if the > bitstream values are insane, etc. >
Push anytime. (thank you =)) lu _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
