aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJustin Ruggles <justin.ruggles@gmail.com>2012-09-29 11:31:35 -0400
committerJustin Ruggles <justin.ruggles@gmail.com>2012-10-01 00:10:59 -0400
commit56b6a43056235fc110a018678da590595734203d (patch)
treedd5a9d031ce20db52dc5920ccc73ad720f695344
parent1a8c6917f68f7378465e18f7615762bfd22704c2 (diff)
downloadffmpeg-56b6a43056235fc110a018678da590595734203d.tar.gz
ac3dec: ensure get_buffer() gets a buffer for the correct number of channels
If there is an error during frame parsing, but AVCodecContext.channels was changed and AC3DecodeContext.out_channels was set previously, the two may not match. Fixes CVE-2012-2802 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org
-rw-r--r--libavcodec/ac3dec.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c
index 37426c6158..12770db2de 100644
--- a/libavcodec/ac3dec.c
+++ b/libavcodec/ac3dec.c
@@ -1369,6 +1369,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
avctx->audio_service_type = AV_AUDIO_SERVICE_TYPE_KARAOKE;
/* get output buffer */
+ avctx->channels = s->out_channels;
s->frame.nb_samples = s->num_blocks * 256;
if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");