[03/11] mpegaudiodec: Validate that the number of channels fits at the given offset

Message ID 1379599756-27062-3-git-send-email-martin@martin.st
State Committed
Commit e9d61de96c113ee0ef8082833c7e682df0e23eec
Headers show

Commit Message

Martin Storsjö Sept. 19, 2013, 2:09 p.m.
This is similar to the fix in 35cbc98b.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
---
 libavcodec/mpegaudiodec.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Kostya Shishkov Sept. 19, 2013, 2:19 p.m. | #1
On Thu, Sep 19, 2013 at 05:09:08PM +0300, Martin Storsjö wrote:
> This is similar to the fix in 35cbc98b.
> 
> Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> CC: libav-stable@libav.org
> ---
>  libavcodec/mpegaudiodec.c |    3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c
> index c18f433..423b4b0 100644
> --- a/libavcodec/mpegaudiodec.c
> +++ b/libavcodec/mpegaudiodec.c
> @@ -1939,7 +1939,8 @@ static int decode_frame_mp3on4(AVCodecContext *avctx, void *data,
>  
>          avpriv_mpegaudio_decode_header((MPADecodeHeader *)m, header);
>  
> -        if (ch + m->nb_channels > avctx->channels) {
> +        if (ch + m->nb_channels > avctx->channels ||
> +            s->coff[fr] + m->nb_channels > avctx->channels) {
>              av_log(avctx, AV_LOG_ERROR, "frame channel count exceeds codec "
>                                          "channel count\n");
>              return AVERROR_INVALIDDATA;
> -- 

probably OK as well

Patch

diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c
index c18f433..423b4b0 100644
--- a/libavcodec/mpegaudiodec.c
+++ b/libavcodec/mpegaudiodec.c
@@ -1939,7 +1939,8 @@  static int decode_frame_mp3on4(AVCodecContext *avctx, void *data,
 
         avpriv_mpegaudio_decode_header((MPADecodeHeader *)m, header);
 
-        if (ch + m->nb_channels > avctx->channels) {
+        if (ch + m->nb_channels > avctx->channels ||
+            s->coff[fr] + m->nb_channels > avctx->channels) {
             av_log(avctx, AV_LOG_ERROR, "frame channel count exceeds codec "
                                         "channel count\n");
             return AVERROR_INVALIDDATA;