Fixes: out of array read Fixes: 8924/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EAC3_fuzzer-5851861780267008
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> --- libavcodec/ac3dec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index b1239a1845..eed8ce5b39 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1671,6 +1671,7 @@ dependent_frame: if (s->frame_type == EAC3_FRAME_TYPE_DEPENDENT) { uint64_t ich_layout = avpriv_ac3_channel_layout_tab[s->prev_output_mode & ~AC3_OUTPUT_LFEON]; + int channel_map_size = ff_ac3_channels_tab[s->output_mode & ~AC3_OUTPUT_LFEON] + s->lfe_on; uint64_t channel_layout; int extend = 0; @@ -1699,6 +1700,9 @@ dependent_frame: ff_eac3_custom_channel_map_locations[ch][1]); if (index < 0) return AVERROR_INVALIDDATA; + if (extend >= channel_map_size) + return AVERROR_INVALIDDATA; + extended_channel_map[index] = offset + channel_map[extend++]; } else { int i; @@ -1709,6 +1713,9 @@ dependent_frame: 1LL << i); if (index < 0) return AVERROR_INVALIDDATA; + if (extend >= channel_map_size) + return AVERROR_INVALIDDATA; + extended_channel_map[index] = offset + channel_map[extend++]; } } -- 2.18.0 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
