aac: check the maximum number of channels
authorReinhard Tartler <siretart@tauware.de>
Tue, 7 May 2013 05:13:50 +0000 (07:13 +0200)
committerReinhard Tartler <siretart@tauware.de>
Thu, 9 May 2013 18:05:53 +0000 (20:05 +0200)
Broken bitstreams could report a larger than specified number of
channels and cause outbound writes.

CC:libav-stable@libav.org
(cherry picked from commit a943a132f36f4df8fe2f749744677b71984abce7)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/aacdec.c

libavcodec/aacdec.c

index d479c94..b9c8c07 100644 (file)
@@ -183,6 +183,8 @@ static av_cold int che_configure(AACContext *ac,
                                  enum ChannelPosition che_pos[4][MAX_ELEM_ID],
                                  int type, int id, int *channels)
 {
+    if (*channels >= MAX_CHANNELS)
+        return AVERROR_INVALIDDATA;
     if (che_pos[type][id]) {
         if (!ac->che[type][id] && !(ac->che[type][id] = av_mallocz(sizeof(ChannelElement))))
             return AVERROR(ENOMEM);