aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2012-03-06 17:26:29 -0800
committerAlex Converse <alex.converse@gmail.com>2012-03-09 09:47:57 -0800
commitd53fe096e4d0d0e4db2859e467515de1a0ef91fa (patch)
treea3f14c17a6000e32fbb8e33caa137a9c57a77f5f
parent6294d708b8be886767f6181169143c29c975938f (diff)
downloadffmpeg-d53fe096e4d0d0e4db2859e467515de1a0ef91fa.tar.gz
aacdec: Fix out of array writes (stack).
Set the element to channel vector (e2c_vec) size to be the maximum number of aac channel elements. This makes it slightly larger than it needs to be because CCEs are never mapped to output channel locations. Also add a check that all input tags (legal or not) will fit. Split from FFmpeg commit a8d67efa53dae1d14614e3a7bd4e77e4eab066ab Signed-off-by: Alex Converse <alex.converse@gmail.com>
-rw-r--r--libavcodec/aacdec.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c
index 4f94f5f5c9..c7c11c9e5f 100644
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -223,10 +223,13 @@ static int count_paired_channels(uint8_t (*layout_map)[3], int tags, int pos, in
static uint64_t sniff_channel_order(uint8_t (*layout_map)[3], int tags)
{
int i, n, total_non_cc_elements;
- struct elem_to_channel e2c_vec[MAX_ELEM_ID] = {{ 0 }};
+ struct elem_to_channel e2c_vec[4*MAX_ELEM_ID] = {{ 0 }};
int num_front_channels, num_side_channels, num_back_channels;
uint64_t layout;
+ if (FF_ARRAY_ELEMS(e2c_vec) < tags)
+ return 0;
+
i = 0;
num_front_channels =
count_paired_channels(layout_map, tags, AAC_CHANNEL_FRONT, &i);