alac: Check that the channels fit at the given offset

The code tries to decode a number of channels at the offset given by the ff_alac_channel_layout_offsets table. Even if the number of channels decoded so far doesn't exceed the total number of channels, we need to check that we actually can decode that number of channels at this offset as well. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö <martin@martin.st> (cherry picked from commit 35cbc98b720db95b923cb2d745f77bb2ee4363dc) Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
author: Martin Storsjö <martin@martin.st> 2013-09-03 14:16:40 +0300
committer: Luca Barbato <lu_zero@gentoo.org> 2013-09-07 10:26:04 +0200
commit: 790606cfe97ea897e72cd7d393ee653d2a56e8bd (patch)
tree: 091602ecf63cf26ed564ce89115cbcacdfeb5a82
parent: 7b9bcd993c10144f65b62364ab1fd11be51bde9b (diff)
download: ffmpeg-790606cfe97ea897e72cd7d393ee653d2a56e8bd.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/libavcodec/alac.c b/libavcodec/alac.c
index b69efc30dd..72e9353b54 100644
--- a/libavcodec/alac.c
+++ b/libavcodec/alac.c
@@ -418,7 +418,8 @@ static int alac_decode_frame(AVCodecContext *avctx, void *data,
         }
 
         channels = (element == TYPE_CPE) ? 2 : 1;
-        if (ch + channels > alac->channels) {
+        if (ch + channels > alac->channels ||
+            ff_alac_channel_layout_offsets[alac->channels - 1][ch] + channels > alac->channels) {
             av_log(avctx, AV_LOG_ERROR, "invalid element channel count\n");
             return AVERROR_INVALIDDATA;
         }
author	Martin Storsjö <martin@martin.st>	2013-09-03 14:16:40 +0300
committer	Luca Barbato <lu_zero@gentoo.org>	2013-09-07 10:26:04 +0200
commit	790606cfe97ea897e72cd7d393ee653d2a56e8bd (patch)
tree	091602ecf63cf26ed564ce89115cbcacdfeb5a82
parent	7b9bcd993c10144f65b62364ab1fd11be51bde9b (diff)
download	ffmpeg-790606cfe97ea897e72cd7d393ee653d2a56e8bd.tar.gz