Similar to existing lavc/vorbisdec.c code which first checks that avc->channels is valid for accessing ff_vorbis_channel_layouts, this change adds protection to libopusdec.c to prevent accessing that array with a negative index. Reference https://crbug.com/666794.
From 141e56ccf7fc56646424484d357b6c74a486d2e2 Mon Sep 17 00:00:00 2001 From: Matt Wolenetz <wolen...@chromium.org> Date: Mon, 21 Nov 2016 17:30:50 -0800 Subject: [PATCH] lavc/libopusdec.c Fix ff_vorbis_channel_layouts OOB
Similar to existing lavc/vorbisdec.c code which first checks that avc->channels is valid for accessing ff_vorbis_channel_layouts, this change adds protection to libopusdec.c to prevent accessing that array with a negative index. Reference https://crbug.com/666794. --- libavcodec/libopusdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/libopusdec.c b/libavcodec/libopusdec.c index acc62f1..c2c7adc 100644 --- a/libavcodec/libopusdec.c +++ b/libavcodec/libopusdec.c @@ -50,6 +50,10 @@ static av_cold int libopus_decode_init(AVCodecContext *avc) avc->sample_rate = 48000; avc->sample_fmt = avc->request_sample_fmt == AV_SAMPLE_FMT_FLT ? AV_SAMPLE_FMT_FLT : AV_SAMPLE_FMT_S16; + if (avc->channels <= 0) { + av_log(avc, AV_LOG_ERROR, "Invalid number of channels\n"); + return AVERROR(EINVAL); + } avc->channel_layout = avc->channels > 8 ? 0 : ff_vorbis_channel_layouts[avc->channels - 1]; -- 2.8.0.rc3.226.g39d4020
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
