shorten: set invalid channels count to 0
authorReinhard Tartler <siretart@tauware.de>
Tue, 7 May 2013 05:26:19 +0000 (07:26 +0200)
committerReinhard Tartler <siretart@tauware.de>
Thu, 9 May 2013 09:28:28 +0000 (11:28 +0200)
Prevent the loop shorten_decode_close from writing and freeing out of
the array boundary.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
CC: libav-stable@libav.org
(cherry picked from commit c10da30d8426a1f681d99a780b6e311f7fb4e5c5)
(cherry picked from commit 21d568be179c54a1596d1377b4da7fbe755bfe7f)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/shorten.c

libavcodec/shorten.c

index cb3d09d..b12d6e6 100644 (file)
@@ -344,6 +344,7 @@ static int shorten_decode_frame(AVCodecContext *avctx,
         s->channels = get_uint(s, CHANSIZE);
         if (s->channels <= 0 || s->channels > MAX_CHANNELS) {
             av_log(s->avctx, AV_LOG_ERROR, "too many channels: %d\n", s->channels);
+            s->channels = 0;
             return -1;
         }