From 56b6a43056235fc110a018678da590595734203d Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Sat, 29 Sep 2012 11:31:35 -0400 Subject: ac3dec: ensure get_buffer() gets a buffer for the correct number of channels If there is an error during frame parsing, but AVCodecContext.channels was changed and AC3DecodeContext.out_channels was set previously, the two may not match. Fixes CVE-2012-2802 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org --- libavcodec/ac3dec.c | 1 + 1 file changed, 1 insertion(+) (limited to 'libavcodec/ac3dec.c') diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index 37426c6158..12770db2de 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1369,6 +1369,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, avctx->audio_service_type = AV_AUDIO_SERVICE_TYPE_KARAOKE; /* get output buffer */ + avctx->channels = s->out_channels; s->frame.nb_samples = s->num_blocks * 256; if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); -- cgit v1.2.3