From 0458066f8f9012e71dc3b20f4eb8484f7c5c13bf Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Mon, 10 Jun 2024 23:41:07 +0200
Subject: [PATCH] avfilter/af_pan: check nb_output_channels before use

Fixes: CID1500281 Out-of-bounds write
Fixes: CID1500331 Out-of-bounds write

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5fe8bf4aa51350b14d0babd47b0314232e703caf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavfilter/af_pan.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c
index 34e522c9d4..10064ddb6b 100644
--- a/libavfilter/af_pan.c
+++ b/libavfilter/af_pan.c
@@ -126,6 +126,14 @@ static av_cold int init(AVFilterContext *ctx)
     if (ret < 0)
         goto fail;
 
+    if (pan->nb_output_channels > MAX_CHANNELS) {
+        av_log(ctx, AV_LOG_ERROR,
+               "af_pan supports a maximum of %d channels. "
+               "Feel free to ask for a higher limit.\n", MAX_CHANNELS);
+        ret = AVERROR_PATCHWELCOME;
+        goto fail;
+    }
+
     /* parse channel specifications */
     while ((arg = arg0 = av_strtok(NULL, "|", &tokenizer))) {
         int used_in_ch[MAX_CHANNELS] = {0};