From: Michael Niedermayer <[email protected]> This fixes potentially exploitable out of array writes.
Signed-off-by: Michael Niedermayer <[email protected]> Signed-off-by: Justin Ruggles <[email protected]> CC: [email protected] --- libavcodec/ac3dec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index fd0bf33..d47e4f9 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1381,12 +1381,14 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, /* decode the audio blocks */ channel_map = ff_ac3_dec_channel_map[s->output_mode & ~AC3_OUTPUT_LFEON][s->lfe_on]; + for (ch = 0; ch < AC3_MAX_CHANNELS; ch++) { + output[ch] = s->output[ch]; + } for (ch = 0; ch < s->channels; ch++) { if (ch < s->out_channels) s->outptr[channel_map[ch]] = (float *)frame->data[ch]; else s->outptr[ch] = s->output[ch]; - output[ch] = s->output[ch]; } for (blk = 0; blk < s->num_blocks; blk++) { if (!err && decode_audio_block(s, blk)) { @@ -1395,7 +1397,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, } if (err) for (ch = 0; ch < s->out_channels; ch++) - memcpy(s->outptr[channel_map[ch]], output[ch], sizeof(**output) * AC3_BLOCK_SIZE); + memcpy(((float*)frame->data[ch]) + AC3_BLOCK_SIZE*blk, output[ch], sizeof(**output) * AC3_BLOCK_SIZE); for (ch = 0; ch < s->out_channels; ch++) output[ch] = s->outptr[channel_map[ch]]; for (ch = 0; ch < s->channels; ch++) -- 1.8.1.2 _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
