From c10da30d8426a1f681d99a780b6e311f7fb4e5c5 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Tue, 5 Mar 2013 15:13:04 +0100
Subject: shorten: set invalid channels count to 0

Prevent the loop shorten_decode_close from writing and freeing out of
the array boundary.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
---
 libavcodec/shorten.c | 1 +
 1 file changed, 1 insertion(+)

(limited to 'libavcodec/shorten.c')

diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index e678ee8e6a..d99877bb02 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -341,6 +341,7 @@ static int read_header(ShortenContext *s)
     s->channels = get_uint(s, CHANSIZE);
     if (s->channels <= 0 || s->channels > MAX_CHANNELS) {
         av_log(s->avctx, AV_LOG_ERROR, "too many channels: %d\n", s->channels);
+        s->channels = 0;
         return -1;
     }
     s->avctx->channels = s->channels;
-- 
cgit v1.2.3