vlc/vlc-3.0 | branch: master | Hugo Beauzée-Luyssen <[email protected]> | Tue Mar 5 15:55:29 2019 +0100| [a31ca516a02678579c312897e648c64135725867] | committer: Hugo Beauzée-Luyssen
faad: Fix potential stack buffer overflow DoReordering is bound by frame.channels, but the source array was bound by AOUT_MAX_CHAN https://hackerone.com/reports/503208 (cherry picked from commit f256bf045c2b1f7395f61b2039a67f18aee66673) Signed-off-by: Hugo Beauzée-Luyssen <[email protected]> > http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=a31ca516a02678579c312897e648c64135725867 --- modules/codec/faad.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/codec/faad.c b/modules/codec/faad.c index 2a956aa753..dae312b147 100644 --- a/modules/codec/faad.c +++ b/modules/codec/faad.c @@ -513,13 +513,13 @@ static int DecodeBlock( decoder_t *p_dec, block_t *p_block ) /* Convert frame.channel_position to our own channel values */ p_dec->fmt_out.audio.i_physical_channels = 0; - uint8_t pi_neworder_table[AOUT_CHAN_MAX]; - uint32_t pi_faad_channels_positions[FAAD_CHANNEL_ID_COUNT + 1] = {0}; + uint8_t pi_neworder_table[64] = {0}; + uint32_t pi_faad_channels_positions[64 + 1] = {0}; bool b_reorder = false; if (p_dec->fmt_out.audio.channel_type == AUDIO_CHANNEL_TYPE_BITMAP) { - for( size_t i = 0; i < frame.channels && i < FAAD_CHANNEL_ID_COUNT; i++ ) + for( size_t i = 0; i < frame.channels; i++ ) { unsigned pos = frame.channel_position[i]; if( likely(pos < FAAD_CHANNEL_ID_COUNT) ) _______________________________________________ vlc-commits mailing list [email protected] https://mailman.videolan.org/listinfo/vlc-commits
