alac: Check that the channels fit at the given offset

The code tries to decode a number of channels at the offset given by the ff_alac_channel_layout_offsets table. Even if the number of channels decoded so far doesn't exceed the total number of channels, we need to check that we actually can decode that number of channels at this offset as well. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö <martin@martin.st>
author: Martin Storsjö <martin@martin.st> 2013-09-03 14:16:40 +0300
committer: Martin Storsjö <martin@martin.st> 2013-09-03 22:57:52 +0300
commit: 35cbc98b720db95b923cb2d745f77bb2ee4363dc (patch)
tree: 186693561ce0101e07131e8649963f9aa00cdc5b /libavcodec/alac.c
parent: d719981273bc779c7d1e879d88404fd867f93a0e (diff)
download: ffmpeg-35cbc98b720db95b923cb2d745f77bb2ee4363dc.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/libavcodec/alac.c b/libavcodec/alac.c
index d643dd3eab..41d1f772e8 100644
--- a/libavcodec/alac.c
+++ b/libavcodec/alac.c
@@ -418,7 +418,8 @@ static int alac_decode_frame(AVCodecContext *avctx, void *data,
         }
 
         channels = (element == TYPE_CPE) ? 2 : 1;
-        if (ch + channels > alac->channels) {
+        if (ch + channels > alac->channels ||
+            ff_alac_channel_layout_offsets[alac->channels - 1][ch] + channels > alac->channels) {
             av_log(avctx, AV_LOG_ERROR, "invalid element channel count\n");
             return AVERROR_INVALIDDATA;
         }
author	Martin Storsjö <martin@martin.st>	2013-09-03 14:16:40 +0300
committer	Martin Storsjö <martin@martin.st>	2013-09-03 22:57:52 +0300
commit	35cbc98b720db95b923cb2d745f77bb2ee4363dc (patch)
tree	186693561ce0101e07131e8649963f9aa00cdc5b /libavcodec/alac.c
parent	d719981273bc779c7d1e879d88404fd867f93a0e (diff)
download	ffmpeg-35cbc98b720db95b923cb2d745f77bb2ee4363dc.tar.gz