mlpdec: Fix possible writing out of array bounds introduced by being

author Ramiro Polla <ramiro.polla@gmail.com>

Wed, 6 May 2009 16:01:28 +0000 (16:01 +0000)

committer Ramiro Polla <ramiro.polla@gmail.com>

Wed, 6 May 2009 16:01:28 +0000 (16:01 +0000)
author Ramiro Polla <ramiro.polla@gmail.com>
Wed, 6 May 2009 16:01:28 +0000 (16:01 +0000)
committer Ramiro Polla <ramiro.polla@gmail.com>
Wed, 6 May 2009 16:01:28 +0000 (16:01 +0000)
diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c

index f1a3b3a..0a64d79 100644 (file)
--- a/libavcodec/mlpdec.c
+++ b/libavcodec/mlpdec.c
@@ -377,6 +377,15 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp,
          return -1;
      }
  
+    /* This should happen for TrueHD streams with >6 channels and MLP's noise
+     * type. It is not yet known if this is allowed. */
+    if (s->max_channel > MAX_MATRIX_CHANNEL_MLP && !s->noise_type) {
+        av_log(m->avctx, AV_LOG_ERROR,
+               "Number of channels %d is larger than the maximum supported "
+               "by the decoder. %s\n", s->max_channel+2, sample_message);
+        return -1;
+    }
+
      if (s->min_channel > s->max_channel) {
          av_log(m->avctx, AV_LOG_ERROR,
                 "Substream min channel cannot be greater than max channel.\n");
author	Ramiro Polla <ramiro.polla@gmail.com>
	Wed, 6 May 2009 16:01:28 +0000 (16:01 +0000)
committer	Ramiro Polla <ramiro.polla@gmail.com>
	Wed, 6 May 2009 16:01:28 +0000 (16:01 +0000)