[FFmpeg-cvslog] aacdec: Fix out of array writes (stack).

Michael Niedermayer git at videolan.org
Tue Mar 6 21:57:14 CET 2012 

ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Tue Mar  6 21:21:02 2012 +0100| [a8d67efa53dae1d14614e3a7bd4e77e4eab066ab] | committer: Michael Niedermayer

aacdec: Fix out of array writes (stack).

This fixes an issue in the code to check the size that will
be written to match the actual code writing. In the long
term it would make sense to change this so the counting and
writing code are the same so they dont need to be kept in sync.

It also increases the array size, which was too small either way
and adds a redudnant saftey check.

This issue does not affect any FFmpeg release as it has been
introduced Jan 31 which is narrowly after our last release.

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a8d67efa53dae1d14614e3a7bd4e77e4eab066ab
---

 libavcodec/aacdec.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c
index 74ad099..966a211 100644
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -200,7 +200,7 @@ static int count_paired_channels(uint8_t (*layout_map)[3], int tags, int pos, in
             break;
         if (layout_map[i][0] == TYPE_CPE) {
             if (sce_parity) {
-                if (pos == AAC_CHANNEL_FRONT || !first_cpe) {
+                if (pos == AAC_CHANNEL_FRONT && !first_cpe) {
                     sce_parity = 0;
                 } else {
                     return -1;
@@ -223,10 +223,13 @@ static int count_paired_channels(uint8_t (*layout_map)[3], int tags, int pos, in
 static uint64_t sniff_channel_order(uint8_t (*layout_map)[3], int tags)
 {
     int i, n, total_non_cc_elements;
-    struct elem_to_channel e2c_vec[MAX_ELEM_ID] = {{ 0 }};
+    struct elem_to_channel e2c_vec[4*MAX_ELEM_ID] = {{ 0 }};
     int num_front_channels, num_side_channels, num_back_channels;
     uint64_t layout;
 
+    if(FF_ARRAY_ELEMS(e2c_vec) < tags)
+        return 0;
+
     i = 0;
     num_front_channels =
         count_paired_channels(layout_map, tags, AAC_CHANNEL_FRONT, &i);

More information about the ffmpeg-cvslog mailing list