diff options
| author | Vittorio Giovara <vittorio.giovara@gmail.com> | 2014-11-21 12:57:40 +0000 |
|---|---|---|
| committer | Luca Barbato <lu_zero@gentoo.org> | 2015-01-13 00:16:40 +0100 |
| commit | fbc20c3b85be169389b6c9f8806a311d3dea91ea (patch) | |
| tree | 476df1354957abf56327ff14e6507100ae61be8b | |
| parent | 484e015dc8b9983297e9269b406c65084daf4528 (diff) | |
| download | ffmpeg-fbc20c3b85be169389b6c9f8806a311d3dea91ea.tar.gz | |
aacdec: avoid an out-of-bounds write
Also move the check in the case it is actually used.
CC: libav-stable@libav.org
Bug-Id: CID 1087090
(cherry picked from commit b99ca863506f0630514921b740b78364de67a3ff)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
| -rw-r--r-- | libavcodec/aacdec.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 4bdf52fc66..2258aed0ae 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -143,8 +143,6 @@ static av_cold int che_configure(AACContext *ac, enum ChannelPosition che_pos, int type, int id, int *channels) { - if (*channels >= MAX_CHANNELS) - return AVERROR_INVALIDDATA; if (che_pos) { if (!ac->che[type][id]) { if (!(ac->che[type][id] = av_mallocz(sizeof(ChannelElement)))) @@ -152,6 +150,8 @@ static av_cold int che_configure(AACContext *ac, ff_aac_sbr_ctx_init(ac, &ac->che[type][id]->sbr); } if (type != TYPE_CCE) { + if (*channels >= MAX_CHANNELS - 2) + return AVERROR_INVALIDDATA; ac->output_element[(*channels)++] = &ac->che[type][id]->ch[0]; if (type == TYPE_CPE || (type == TYPE_SCE && ac->oc[1].m4ac.ps == 1)) { |