mpegaudiodec: Validate that the number of channels fits at the given offset

This is similar to the fix in 35cbc98b. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö <martin@martin.st> (cherry picked from commit e9d61de96c113ee0ef8082833c7e682df0e23eec) Signed-off-by: Luca Barbato <lu_zero@gentoo.org> (cherry picked from commit bacf5db1962a6955ce80eea6bbc86c6970d7d360)
author: Martin Storsjö <martin@martin.st> 2013-09-19 15:32:02 +0300
committer: Luca Barbato <lu_zero@gentoo.org> 2014-01-07 09:43:57 +0100
commit: ff8837e9c60a99172565c47d7fcf432418c0dac8 (patch)
tree: af798a6005012cfc4840df5f3f148aea6f50e826
parent: 036136fa89ac44fd89c7f4730d3039f0b3b92cfd (diff)
download: ffmpeg-ff8837e9c60a99172565c47d7fcf432418c0dac8.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c
index adb25ffa38..e2216f3fdb 100644
--- a/libavcodec/mpegaudiodec.c
+++ b/libavcodec/mpegaudiodec.c
@@ -1943,7 +1943,8 @@ static int decode_frame_mp3on4(AVCodecContext *avctx, void *data,
 
         avpriv_mpegaudio_decode_header((MPADecodeHeader *)m, header);
 
-        if (ch + m->nb_channels > avctx->channels) {
+        if (ch + m->nb_channels > avctx->channels ||
+            s->coff[fr] + m->nb_channels > avctx->channels) {
             av_log(avctx, AV_LOG_ERROR, "frame channel count exceeds codec "
                                         "channel count\n");
             return AVERROR_INVALIDDATA;
author	Martin Storsjö <martin@martin.st>	2013-09-19 15:32:02 +0300
committer	Luca Barbato <lu_zero@gentoo.org>	2014-01-07 09:43:57 +0100
commit	ff8837e9c60a99172565c47d7fcf432418c0dac8 (patch)
tree	af798a6005012cfc4840df5f3f148aea6f50e826
parent	036136fa89ac44fd89c7f4730d3039f0b3b92cfd (diff)
download	ffmpeg-ff8837e9c60a99172565c47d7fcf432418c0dac8.tar.gz