[libav-commits] ac3dec: ensure get_buffer() gets a buffer for the correct number of channels

Justin Ruggles git at libav.org
Mon Oct 1 06:09:59 CEST 2012


Module: libav
Branch: master
Commit: 56b6a43056235fc110a018678da590595734203d

Author:    Justin Ruggles <justin.ruggles at gmail.com>
Committer: Justin Ruggles <justin.ruggles at gmail.com>
Date:      Sat Sep 29 11:31:35 2012 -0400

ac3dec: ensure get_buffer() gets a buffer for the correct number of channels

If there is an error during frame parsing, but AVCodecContext.channels was
changed and AC3DecodeContext.out_channels was set previously, the two may not
match.

Fixes CVE-2012-2802
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

CC: libav-stable at libav.org

---

 libavcodec/ac3dec.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c
index 37426c6..12770db 100644
--- a/libavcodec/ac3dec.c
+++ b/libavcodec/ac3dec.c
@@ -1369,6 +1369,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
         avctx->audio_service_type = AV_AUDIO_SERVICE_TYPE_KARAOKE;
 
     /* get output buffer */
+    avctx->channels = s->out_channels;
     s->frame.nb_samples = s->num_blocks * 256;
     if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");



More information about the libav-commits mailing list