avcodec/ac3dec: Fix: runtime error: index -1 out of bounds for type 'INTFLOAT [2]'
authorMichael Niedermayer <michael@niedermayer.cc>
Sun, 14 May 2017 12:42:45 +0000 (14:42 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Sun, 14 May 2017 13:30:08 +0000 (15:30 +0200)
It seems dual mono with a LFE channel is not forbidden

Fixes: 1570/clusterfuzz-testcase-minimized-6455337349545984

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/ac3dec.c

index ffea9d3..c393076 100644 (file)
@@ -1389,7 +1389,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
     for (ch = 1; ch <= s->channels; ch++) {
         int audio_channel = 0;
         INTFLOAT gain;
-        if (s->channel_mode == AC3_CHMODE_DUALMONO)
+        if (s->channel_mode == AC3_CHMODE_DUALMONO && ch <= 2)
             audio_channel = 2-ch;
         if (s->heavy_compression && s->compression_exists[audio_channel])
             gain = s->heavy_dynamic_range[audio_channel];