mpegaudiodec: Validate that the number of channels fits at the given offset
authorMartin Storsjö <martin@martin.st>
Thu, 19 Sep 2013 12:32:02 +0000 (15:32 +0300)
committerMartin Storsjö <martin@martin.st>
Thu, 19 Sep 2013 19:44:18 +0000 (22:44 +0300)
This is similar to the fix in 35cbc98b.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
libavcodec/mpegaudiodec.c

index c18f433..423b4b0 100644 (file)
@@ -1939,7 +1939,8 @@ static int decode_frame_mp3on4(AVCodecContext *avctx, void *data,
 
         avpriv_mpegaudio_decode_header((MPADecodeHeader *)m, header);
 
-        if (ch + m->nb_channels > avctx->channels) {
+        if (ch + m->nb_channels > avctx->channels ||
+            s->coff[fr] + m->nb_channels > avctx->channels) {
             av_log(avctx, AV_LOG_ERROR, "frame channel count exceeds codec "
                                         "channel count\n");
             return AVERROR_INVALIDDATA;