diff options
author | Justin Ruggles <justin.ruggles@gmail.com> | 2012-09-29 11:31:35 -0400 |
---|---|---|
committer | Justin Ruggles <justin.ruggles@gmail.com> | 2012-10-01 00:10:59 -0400 |
commit | 56b6a43056235fc110a018678da590595734203d (patch) | |
tree | dd5a9d031ce20db52dc5920ccc73ad720f695344 | |
parent | 1a8c6917f68f7378465e18f7615762bfd22704c2 (diff) | |
download | ffmpeg-56b6a43056235fc110a018678da590595734203d.tar.gz |
ac3dec: ensure get_buffer() gets a buffer for the correct number of channels
If there is an error during frame parsing, but AVCodecContext.channels was
changed and AC3DecodeContext.out_channels was set previously, the two may not
match.
Fixes CVE-2012-2802
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
-rw-r--r-- | libavcodec/ac3dec.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index 37426c6158..12770db2de 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1369,6 +1369,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, avctx->audio_service_type = AV_AUDIO_SERVICE_TYPE_KARAOKE; /* get output buffer */ + avctx->channels = s->out_channels; s->frame.nb_samples = s->num_blocks * 256; if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); |