[FFmpeg-cvslog] mp3on4: ensure that the frame channel count does not exceed the codec channel

Justin Ruggles git at videolan.org
Sat Oct 22 01:26:50 CEST 2011


ffmpeg | branch: master | Justin Ruggles <justin.ruggles at gmail.com> | Sun Sep 25 13:04:39 2011 -0400| [53c8443ad2376a50c76e5d7c69435bd01b0abc42] | committer: Justin Ruggles

mp3on4: ensure that the frame channel count does not exceed the codec channel
count.

This also allows for checking output data size based on the actual
number of channel instead of the maximum number of channels.

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=53c8443ad2376a50c76e5d7c69435bd01b0abc42
---

 libavcodec/mpegaudiodec.c |   17 ++++++++++++++---
 1 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c
index f272858..c3c6ee3 100644
--- a/libavcodec/mpegaudiodec.c
+++ b/libavcodec/mpegaudiodec.c
@@ -2016,10 +2016,12 @@ static int decode_frame_mp3on4(AVCodecContext * avctx,
     uint32_t header;
     OUT_INT *out_samples = data;
     OUT_INT *outptr, *bp;
-    int fr, j, n;
+    int fr, j, n, ch;
 
-    if(*data_size < MPA_FRAME_SIZE * MPA_MAX_CHANNELS * s->frames * sizeof(OUT_INT))
-        return -1;
+    if (*data_size < MPA_FRAME_SIZE * avctx->channels * sizeof(OUT_INT)) {
+        av_log(avctx, AV_LOG_ERROR, "output buffer is too small\n");
+        return AVERROR(EINVAL);
+    }
 
     *data_size = 0;
     // Discard too short frames
@@ -2031,6 +2033,7 @@ static int decode_frame_mp3on4(AVCodecContext * avctx,
 
     avctx->bit_rate = 0;
 
+    ch = 0;
     for (fr = 0; fr < s->frames; fr++) {
         fsize = AV_RB16(buf) >> 4;
         fsize = FFMIN3(fsize, len, MPA_MAX_CODED_FRAME_SIZE);
@@ -2043,6 +2046,14 @@ static int decode_frame_mp3on4(AVCodecContext * avctx,
             break;
 
         avpriv_mpegaudio_decode_header((MPADecodeHeader *)m, header);
+
+        if (ch + m->nb_channels > avctx->channels) {
+            av_log(avctx, AV_LOG_ERROR, "frame channel count exceeds codec "
+                                        "channel count\n");
+            return AVERROR_INVALIDDATA;
+        }
+        ch += m->nb_channels;
+
         out_size += mp_decode_frame(m, outptr, buf, fsize);
         buf += fsize;
         len -= fsize;



More information about the ffmpeg-cvslog mailing list