RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

ac3dec: ensure get_buffer() gets a buffer for the correct number of channels 

If there is an error during frame parsing, but AVCodecContext.channels was
changed and AC3DecodeContext.out_channels was set previously, the two may not
match.

Fixes CVE-2012-2802
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

CC: libav-stable@libav.org
This commit is contained in:
Justin Ruggles 2012-09-29 11:31:35 -04:00
parent 1a8c6917f6
commit 56b6a43056
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
libavcodec/ac3dec.c
View File

@ -1369,6 +1369,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
avctx->audio_service_type = AV_AUDIO_SERVICE_TYPE_KARAOKE; avctx->audio_service_type = AV_AUDIO_SERVICE_TYPE_KARAOKE;
/* get output buffer */ /* get output buffer */
avctx->channels = s->out_channels;
s->frame.nb_samples = s->num_blocks * 256; s->frame.nb_samples = s->num_blocks * 256;
if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");