aacdec: Fix out of array writes (stack).

Set the element to channel vector (e2c_vec) size to be the maximum
number of aac channel elements. This makes it slightly larger than it
needs to be because CCEs are never mapped to output channel locations.

Also add a check that all input tags (legal or not) will fit.

Split from FFmpeg commit a8d67efa53

Signed-off-by: Alex Converse <alex.converse@gmail.com>
pull/3/merge
Michael Niedermayer 13 years ago committed by Alex Converse
parent 6294d708b8
commit d53fe096e4
  1. 5
      libavcodec/aacdec.c

@ -223,10 +223,13 @@ static int count_paired_channels(uint8_t (*layout_map)[3], int tags, int pos, in
static uint64_t sniff_channel_order(uint8_t (*layout_map)[3], int tags) static uint64_t sniff_channel_order(uint8_t (*layout_map)[3], int tags)
{ {
int i, n, total_non_cc_elements; int i, n, total_non_cc_elements;
struct elem_to_channel e2c_vec[MAX_ELEM_ID] = {{ 0 }}; struct elem_to_channel e2c_vec[4*MAX_ELEM_ID] = {{ 0 }};
int num_front_channels, num_side_channels, num_back_channels; int num_front_channels, num_side_channels, num_back_channels;
uint64_t layout; uint64_t layout;
if (FF_ARRAY_ELEMS(e2c_vec) < tags)
return 0;
i = 0; i = 0;
num_front_channels = num_front_channels =
count_paired_channels(layout_map, tags, AAC_CHANNEL_FRONT, &i); count_paired_channels(layout_map, tags, AAC_CHANNEL_FRONT, &i);

Loading…
Cancel
Save