[FFmpeg-cvslog] ac3dec: ensure get_buffer() gets a buffer for the correct number of channels
Justin Ruggles
git at videolan.org
Thu Oct 25 16:27:06 CEST 2012
ffmpeg | branch: release/0.10 | Justin Ruggles <justin.ruggles at gmail.com> | Sat Sep 29 11:31:35 2012 -0400| [d7de11260bd1f656b475dbe96c10a602fbff332e] | committer: Reinhard Tartler
ac3dec: ensure get_buffer() gets a buffer for the correct number of channels
If there is an error during frame parsing, but AVCodecContext.channels was
changed and AC3DecodeContext.out_channels was set previously, the two may not
match.
Fixes CVE-2012-2802
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
(cherry picked from commit 56b6a43056235fc110a018678da590595734203d)
Signed-off-by: Reinhard Tartler <siretart at tauware.de>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d7de11260bd1f656b475dbe96c10a602fbff332e
---
libavcodec/ac3dec.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c
index fdc1d68..28a783a 100644
--- a/libavcodec/ac3dec.c
+++ b/libavcodec/ac3dec.c
@@ -1404,6 +1404,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
avctx->audio_service_type = AV_AUDIO_SERVICE_TYPE_KARAOKE;
/* get output buffer */
+ avctx->channels = s->out_channels;
s->frame.nb_samples = s->num_blocks * 256;
if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
More information about the ffmpeg-cvslog
mailing list