From patchwork Wed Dec 14 23:39:10 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Wolenetz X-Patchwork-Id: 1789 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.65.86 with SMTP id o83csp445821vsa; Wed, 14 Dec 2016 15:40:01 -0800 (PST) X-Received: by 10.194.172.42 with SMTP id az10mr93597723wjc.145.1481758801481; Wed, 14 Dec 2016 15:40:01 -0800 (PST) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id f184si9746631wme.33.2016.12.14.15.40.00; Wed, 14 Dec 2016 15:40:01 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@google.com; dkim=neutral (body hash did not verify) header.i=@chromium.org; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE dis=NONE) header.from=chromium.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 990C16898CD; Thu, 15 Dec 2016 01:39:52 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-it0-f54.google.com (mail-it0-f54.google.com [209.85.214.54]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0B2A0680CD2 for ; Thu, 15 Dec 2016 01:39:46 +0200 (EET) Received: by mail-it0-f54.google.com with SMTP id l8so13252629iti.1 for ; Wed, 14 Dec 2016 15:39:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to; bh=g+YT8UKsaynOIetbI6In/bt90SOIxuyHht4ytBrJan8=; b=IwgOjoWVKM/83NMTJWWfXGi9vxlP8qi2XMtEaGv0oaM5HKxpTVVpY9sKEdAXfLu0L3 NygnIkGpgD2X73Kr99h/++7qi/A1HDPBq4MK4EFfgdhM9lnwv+DG6XpIfjNWNBuJfnH/ B3YttQ3Mo+NhQqGAwzYFcqmdyWRop34ADyPrVJ1BQAsX33hlXahuX5rZnmDxU9Y9LCdn JXItweDkRDMduOimIk/7rl6korDxYAkdgJV5Mwfv94yb/aoXEHMjyii0RZ2oOfSCHTz4 3c7/o7zJ+DeK0D1AU0JvGG3mAUyiXWHpTY8hNvdoygUhRuFHbCRpUqo0VPUSq8CyIQhk 7yDg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:from:date:message-id:subject:to; bh=g+YT8UKsaynOIetbI6In/bt90SOIxuyHht4ytBrJan8=; b=gHoibh3EiCOxtYR67bztyzIcIsVV225xeeA8LmRs1TSDjTCinyGgguOFAiL/Q79vU4 7biYHv5G9hpXl8LGBk8w+oi7GOujN/7WLq11IeBAyJCodifqtnIyT8Hbsm88AW1OjwLZ QLx69JuoUoWPR2tUnhcdklJx8whHB8SkP8q/s= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=g+YT8UKsaynOIetbI6In/bt90SOIxuyHht4ytBrJan8=; b=p7qWDVJNs2KPckFcAmfUSIiqTc8Xjh9azEYmpGLJt4Whm1HRuZN+KjPGW75blMW8+B uVmipmYo+/LfSkpGbpEci2h1Qiegmbnus0/N/Ag3QH5mpJ7Q3Ypklf14RUeN7sYh4FyF BTXJeSWxuYd65s+PhKzcb12Zc59ivQ8ZemoVzN3ZfSVTR2TYYgjM8JhWzDbLLP8CGIaR hD1216A5LtYK6Q+CCC3ZfDKMl+DfV5woWNmY3NjTJ4MD9mjq6k+9S3x1h3APCbGFgYhA DVvgQGioqIWFhq1WupATxJMOw4/PoOD07JCt9Brtqx7gyyUPhH6MY3Ndi4+jsRS22/Em FcTg== X-Gm-Message-State: AKaTC01QtnGII5cJc2dLqbTEGXE6gGgzLWGN9CM8mPKoC4k1ZSCQAeSKKPl8MoRKJ25k5v4Xf/H3qzmREyeZ8Ol/ X-Received: by 10.36.22.13 with SMTP id a13mr9939596ita.90.1481758790525; Wed, 14 Dec 2016 15:39:50 -0800 (PST) MIME-Version: 1.0 Received: by 2002:a17:908:2cd5:0:0:0:0 with HTTP; Wed, 14 Dec 2016 15:39:10 -0800 (PST) From: Matthew Wolenetz Date: Wed, 14 Dec 2016 15:39:10 -0800 X-Google-Sender-Auth: 41thvYkUawX88qndlQg3qtym5Kg Message-ID: To: FFmpeg development discussions and patches X-Content-Filtered-By: Mailman/MimeDel 2.1.20 Subject: [FFmpeg-devel] [PATCH] lavc/libopusdec.c Fix ff_vorbis_channel_layouts OOB X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Similar to existing lavc/vorbisdec.c code which first checks that avc->channels is valid for accessing ff_vorbis_channel_layouts, this change adds protection to libopusdec.c to prevent accessing that array with a negative index. Reference https://crbug.com/666794. From 141e56ccf7fc56646424484d357b6c74a486d2e2 Mon Sep 17 00:00:00 2001 From: Matt Wolenetz Date: Mon, 21 Nov 2016 17:30:50 -0800 Subject: [PATCH] lavc/libopusdec.c Fix ff_vorbis_channel_layouts OOB Similar to existing lavc/vorbisdec.c code which first checks that avc->channels is valid for accessing ff_vorbis_channel_layouts, this change adds protection to libopusdec.c to prevent accessing that array with a negative index. Reference https://crbug.com/666794. --- libavcodec/libopusdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/libopusdec.c b/libavcodec/libopusdec.c index acc62f1..c2c7adc 100644 --- a/libavcodec/libopusdec.c +++ b/libavcodec/libopusdec.c @@ -50,6 +50,10 @@ static av_cold int libopus_decode_init(AVCodecContext *avc) avc->sample_rate = 48000; avc->sample_fmt = avc->request_sample_fmt == AV_SAMPLE_FMT_FLT ? AV_SAMPLE_FMT_FLT : AV_SAMPLE_FMT_S16; + if (avc->channels <= 0) { + av_log(avc, AV_LOG_ERROR, "Invalid number of channels\n"); + return AVERROR(EINVAL); + } avc->channel_layout = avc->channels > 8 ? 0 : ff_vorbis_channel_layouts[avc->channels - 1]; -- 2.8.0.rc3.226.g39d4020