From 35cbc98b720db95b923cb2d745f77bb2ee4363dc Mon Sep 17 00:00:00 2001 From: =?utf8?q?Martin=20Storsj=C3=B6?= Date: Tue, 3 Sep 2013 14:16:40 +0300 Subject: [PATCH] alac: Check that the channels fit at the given offset MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The code tries to decode a number of channels at the offset given by the ff_alac_channel_layout_offsets table. Even if the number of channels decoded so far doesn't exceed the total number of channels, we need to check that we actually can decode that number of channels at this offset as well. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö --- libavcodec/alac.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index d643dd3..41d1f77 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -418,7 +418,8 @@ static int alac_decode_frame(AVCodecContext *avctx, void *data, } channels = (element == TYPE_CPE) ? 2 : 1; - if (ch + channels > alac->channels) { + if (ch + channels > alac->channels || + ff_alac_channel_layout_offsets[alac->channels - 1][ch] + channels > alac->channels) { av_log(avctx, AV_LOG_ERROR, "invalid element channel count\n"); return AVERROR_INVALIDDATA; } -- 2.7.4