From 00f98d23b1462afb97116b947334db3754516207 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 27 Jun 2018 15:56:18 +0200 Subject: [PATCH] avcodec/ac3dec: Check channel_map index Fixes: out of array read Fixes: 8924/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EAC3_fuzzer-5851861780267008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index dfa025cbcc..ea7e052f8b 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1690,6 +1690,7 @@ dependent_frame: if (s->frame_type == EAC3_FRAME_TYPE_DEPENDENT) { uint64_t ich_layout = avpriv_ac3_channel_layout_tab[s->prev_output_mode & ~AC3_OUTPUT_LFEON]; + int channel_map_size = ff_ac3_channels_tab[s->output_mode & ~AC3_OUTPUT_LFEON] + s->lfe_on; uint64_t channel_layout; int extend = 0; @@ -1718,6 +1719,9 @@ dependent_frame: custom_channel_map_locations[ch][1]); if (index < 0) return AVERROR_INVALIDDATA; + if (extend >= channel_map_size) + return AVERROR_INVALIDDATA; + extended_channel_map[index] = offset + channel_map[extend++]; } else { int i; @@ -1728,6 +1732,9 @@ dependent_frame: 1LL << i); if (index < 0) return AVERROR_INVALIDDATA; + if (extend >= channel_map_size) + return AVERROR_INVALIDDATA; + extended_channel_map[index] = offset + channel_map[extend++]; } }