On Tue, Jun 9, 2015 at 8:26 PM, Luca Barbato <[email protected]> wrote: > On 10/06/15 00:12, Andreas Cadhalpun wrote: >> If chan2 is not smaller than the number of channels, it can cause >> segmentation faults due to dereferencing a NULL pointer. >> >> Signed-off-by: Andreas Cadhalpun <[email protected]> >> --- >> libavcodec/takdec.c | 6 ++++++ >> 1 file changed, 6 insertions(+) >> >> diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c >> index a453da8..4225030 100644 >> --- a/libavcodec/takdec.c >> +++ b/libavcodec/takdec.c >> @@ -801,6 +801,12 @@ static int tak_decode_frame(AVCodecContext *avctx, void >> *data, >> if (s->mcdparams[i].present) { >> s->mcdparams[i].index = get_bits(gb, 2); >> s->mcdparams[i].chan2 = get_bits(gb, 4); >> + if (s->mcdparams[i].chan2 >= avctx->channels) { >> + av_log(avctx, AV_LOG_ERROR, >> + "invalid channel 2 (%d) for %d >> channel(s)\n", >> + s->mcdparams[i].chan2, avctx->channels); >> + return AVERROR_INVALIDDATA; >> + } >> if (s->mcdparams[i].index == 1) { >> if ((nbit == s->mcdparams[i].chan2) || >> (ch_mask & 1 << s->mcdparams[i].chan2)) >> > > Looks fine to me.
Correct me if I'm wrong but I think this wasn't applied to the tree. -- Vittorio _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
