alac: Check channel indexes more completely, fix out of array accesses.
authorMichael Niedermayer <michaelni@gmx.at>
Sat, 10 Nov 2012 17:21:50 +0000 (18:21 +0100)
committerMichael Niedermayer <michaelni@gmx.at>
Sat, 10 Nov 2012 17:22:47 +0000 (18:22 +0100)
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/alac.c

index 46c3a5b..93db034 100644 (file)
@@ -495,7 +495,9 @@ static int alac_decode_frame(AVCodecContext *avctx, void *data,
         }
 
         channels = (element == TYPE_CPE) ? 2 : 1;
-        if (ch + channels > alac->channels) {
+        if (   ch + channels > alac->channels
+            || alac_channel_layout_offsets[alac->channels - 1][ch] + channels > alac->channels
+        ) {
             av_log(avctx, AV_LOG_ERROR, "invalid element channel count\n");
             return AVERROR_INVALIDDATA;
         }