aacdec: Fix out of array writes (stack).

This fixes an issue in the code to check the size that will
be written to match the actual code writing. In the long
term it would make sense to change this so the counting and
writing code are the same so they dont need to be kept in sync.

It also increases the array size, which was too small either way
and adds a redudnant saftey check.

This issue does not affect any FFmpeg release as it has been
introduced Jan 31 which is narrowly after our last release.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

1 files changed, 5 insertions, 2 deletions

diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c
index 74ad09902e..966a2116d6 100644
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -200,7 +200,7 @@ static int count_paired_channels(uint8_t (*layout_map)[3], int tags, int pos, in
             break;
         if (layout_map[i][0] == TYPE_CPE) {
             if (sce_parity) {
-                if (pos == AAC_CHANNEL_FRONT || !first_cpe) {
+                if (pos == AAC_CHANNEL_FRONT && !first_cpe) {
                     sce_parity = 0;
                 } else {
                     return -1;
@@ -223,10 +223,13 @@ static int count_paired_channels(uint8_t (*layout_map)[3], int tags, int pos, in
 static uint64_t sniff_channel_order(uint8_t (*layout_map)[3], int tags)
 {
     int i, n, total_non_cc_elements;
-    struct elem_to_channel e2c_vec[MAX_ELEM_ID] = {{ 0 }};
+    struct elem_to_channel e2c_vec[4*MAX_ELEM_ID] = {{ 0 }};
     int num_front_channels, num_side_channels, num_back_channels;
     uint64_t layout;
 
+    if(FF_ARRAY_ELEMS(e2c_vec) < tags)
+        return 0;
+
     i = 0;
     num_front_channels =
         count_paired_channels(layout_map, tags, AAC_CHANNEL_FRONT, &i);