On Tue, 6 Mar 2012, Alex Converse wrote:
From: Michael Niedermayer <[email protected]>
Set the element to channel vector (e2c_vec) size to be the maximum
number of aac channel elements. This makes it slightly larger than it
needs to be because CCEs are never mapped to output channel locations.
Also add a check that all input tags (legal or not) will fit.
Split from FFmpeg commit a8d67efa53dae1d14614e3a7bd4e77e4eab066ab
Signed-off-by: Alex Converse <[email protected]>
---
libavcodec/aacdec.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c
index 4f94f5f..c7c11c9 100644
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -223,10 +223,13 @@ static int count_paired_channels(uint8_t
(*layout_map)[3], int tags, int pos, in
static uint64_t sniff_channel_order(uint8_t (*layout_map)[3], int tags)
{
int i, n, total_non_cc_elements;
- struct elem_to_channel e2c_vec[MAX_ELEM_ID] = {{ 0 }};
+ struct elem_to_channel e2c_vec[4*MAX_ELEM_ID] = {{ 0 }};
int num_front_channels, num_side_channels, num_back_channels;
uint64_t layout;
+ if (FF_ARRAY_ELEMS(e2c_vec) < tags)
+ return 0;
+
i = 0;
num_front_channels =
count_paired_channels(layout_map, tags, AAC_CHANNEL_FRONT, &i);
--
1.7.7.3
Patch ok with me.
The discussion about "return 0" or what that value is, can be done
afterwards. This fixes a stack buffer overflow, right, so it's important
to get fixed.
// Martin
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
