atrac3: Fix crash in tonal component decoding.

Add a check to avoid writing past the end of the channel_unit.components[] array. Bug Found by: cosminamironesei Fixes CVE-2012-0853 CC: libav-stable@libav.org Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>

atrac3: Fix crash in tonal component decoding.
Add a check to avoid writing past the end of the channel_unit.components[] array. Bug Found by: cosminamironesei Fixes CVE-2012-0853 CC: libav-stable@libav.org Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
c509f4f7 · Michael Niedermayer · Justin Ruggles · 9fb7a5af · c509f4f7
Commit c509f4f7 authored Dec 17, 2011 by Michael Niedermayer Committed by Justin Ruggles Feb 16, 2012
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 0 deletions

atrac3.c libavcodec/atrac3.c +2 -0

No files found.
--- a/libavcodec/atrac3.c
+++ b/libavcodec/atrac3.c
@@ -402,6 +402,8 @@ static int decodeTonalComponents (GetBitContext *gb, tonal_component *pComponent

            for (k=0; k<coded_components; k++) {
                sfIndx = get_bits(gb,6);
+                if (component_count >= 64)
+                    return AVERROR_INVALIDDATA;
                pComponent[component_count].pos = j * 64 + (get_bits(gb,6));
                max_coded_values = SAMPLES_PER_FRAME - pComponent[component_count].pos;
                coded_values = coded_values_per_component + 1;