[FFmpeg-cvslog] aacdec: avoid an out-of-bounds write

Vittorio Giovara git at videolan.org
Sun Jan 18 02:23:35 CET 2015


ffmpeg | branch: release/2.4 | Vittorio Giovara <vittorio.giovara at gmail.com> | Fri Nov 21 12:57:40 2014 +0000| [fbc20c3b85be169389b6c9f8806a311d3dea91ea] | committer: Luca Barbato

aacdec: avoid an out-of-bounds write

Also move the check in the case it is actually used.

CC: libav-stable at libav.org
Bug-Id: CID 1087090
(cherry picked from commit b99ca863506f0630514921b740b78364de67a3ff)
Signed-off-by: Luca Barbato <lu_zero at gentoo.org>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fbc20c3b85be169389b6c9f8806a311d3dea91ea
---

 libavcodec/aacdec.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c
index 4bdf52f..2258aed 100644
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -143,8 +143,6 @@ static av_cold int che_configure(AACContext *ac,
                                  enum ChannelPosition che_pos,
                                  int type, int id, int *channels)
 {
-    if (*channels >= MAX_CHANNELS)
-        return AVERROR_INVALIDDATA;
     if (che_pos) {
         if (!ac->che[type][id]) {
             if (!(ac->che[type][id] = av_mallocz(sizeof(ChannelElement))))
@@ -152,6 +150,8 @@ static av_cold int che_configure(AACContext *ac,
             ff_aac_sbr_ctx_init(ac, &ac->che[type][id]->sbr);
         }
         if (type != TYPE_CCE) {
+            if (*channels >= MAX_CHANNELS - 2)
+                return AVERROR_INVALIDDATA;
             ac->output_element[(*channels)++] = &ac->che[type][id]->ch[0];
             if (type == TYPE_CPE ||
                 (type == TYPE_SCE && ac->oc[1].m4ac.ps == 1)) {



More information about the ffmpeg-cvslog mailing list