RepoMirrors/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2024-12-12 18:25:03 +00:00
Code Issues Projects Releases Wiki Activity

aacdec: avoid an out-of-bounds write

Browse Source 
Also move the check in the case it is actually used.

CC: libav-stable@libav.org
Bug-Id: CID 1087090
(cherry picked from commit b99ca86350)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
This commit is contained in:
Vittorio Giovara 2014-11-21 12:57:40 +00:00 committed by Luca Barbato
parent 484e015dc8
commit fbc20c3b85
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
libavcodec/aacdec.c
View File

@ -143,8 +143,6 @@ static av_cold int che_configure(AACContext *ac,
enum ChannelPosition che_pos, enum ChannelPosition che_pos,
int type, int id, int *channels) int type, int id, int *channels)
{ {
if (*channels >= MAX_CHANNELS)
return AVERROR_INVALIDDATA;
if (che_pos) { if (che_pos) {
if (!ac->che[type][id]) { if (!ac->che[type][id]) {
if (!(ac->che[type][id] = av_mallocz(sizeof(ChannelElement)))) if (!(ac->che[type][id] = av_mallocz(sizeof(ChannelElement))))
@ -152,6 +150,8 @@ static av_cold int che_configure(AACContext *ac,
ff_aac_sbr_ctx_init(ac, &ac->che[type][id]->sbr); ff_aac_sbr_ctx_init(ac, &ac->che[type][id]->sbr);
} }
if (type != TYPE_CCE) { if (type != TYPE_CCE) {
if (*channels >= MAX_CHANNELS - 2)
return AVERROR_INVALIDDATA;
ac->output_element[(*channels)++] = &ac->che[type][id]->ch[0]; ac->output_element[(*channels)++] = &ac->che[type][id]->ch[0];
if (type == TYPE_CPE || if (type == TYPE_CPE ||
(type == TYPE_SCE && ac->oc[1].m4ac.ps == 1)) { (type == TYPE_SCE && ac->oc[1].m4ac.ps == 1)) {