diff options
| author | Justin Ruggles <justin.ruggles@gmail.com> | 2012-09-29 11:31:35 -0400 |
|---|---|---|
| committer | Reinhard Tartler <siretart@tauware.de> | 2012-10-14 15:27:39 -0400 |
| commit | d7de11260bd1f656b475dbe96c10a602fbff332e (patch) | |
| tree | 4cc33c8ca6a8879f571815c8f5cde7d07875f0ed | |
| parent | 31bc3fb563b12931cc4e2175adbeec92a5de05f1 (diff) | |
| download | ffmpeg-d7de11260bd1f656b475dbe96c10a602fbff332e.tar.gz | |
ac3dec: ensure get_buffer() gets a buffer for the correct number of channels
If there is an error during frame parsing, but AVCodecContext.channels was
changed and AC3DecodeContext.out_channels was set previously, the two may not
match.
Fixes CVE-2012-2802
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 56b6a43056235fc110a018678da590595734203d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| -rw-r--r-- | libavcodec/ac3dec.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index fdc1d6830e..28a783a075 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1404,6 +1404,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, avctx->audio_service_type = AV_AUDIO_SERVICE_TYPE_KARAOKE; /* get output buffer */ + avctx->channels = s->out_channels; s->frame.nb_samples = s->num_blocks * 256; if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); |