From c509f4f74713b035a06f79cb4d00e708f5226bc5 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sat, 17 Dec 2011 03:18:58 +0100
Subject: atrac3: Fix crash in tonal component decoding.

Add a check to avoid writing past the end of the channel_unit.components[]
array.

Bug Found by: cosminamironesei
Fixes CVE-2012-0853
CC: libav-stable@libav.org

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
---
 libavcodec/atrac3.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'libavcodec/atrac3.c')

diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c
index fd036e720a..136b16c36d 100644
--- a/libavcodec/atrac3.c
+++ b/libavcodec/atrac3.c
@@ -402,6 +402,8 @@ static int decodeTonalComponents (GetBitContext *gb, tonal_component *pComponent
 
             for (k=0; k<coded_components; k++) {
                 sfIndx = get_bits(gb,6);
+                if (component_count >= 64)
+                    return AVERROR_INVALIDDATA;
                 pComponent[component_count].pos = j * 64 + (get_bits(gb,6));
                 max_coded_values = SAMPLES_PER_FRAME - pComponent[component_count].pos;
                 coded_values = coded_values_per_component + 1;
-- 
cgit v1.2.3