From e2822726677e3e8870ae4145377505925261e03b Mon Sep 17 00:00:00 2001 From: Ramiro Polla Date: Wed, 6 May 2009 16:01:28 +0000 Subject: [PATCH] mlpdec: Fix possible writing out of array bounds introduced by being under-paranoid in r18651. Originally committed as revision 18763 to svn://svn.ffmpeg.org/ffmpeg/trunk --- libavcodec/mlpdec.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index f1a3b3a348..0a64d79897 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -377,6 +377,15 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, return -1; } + /* This should happen for TrueHD streams with >6 channels and MLP's noise + * type. It is not yet known if this is allowed. */ + if (s->max_channel > MAX_MATRIX_CHANNEL_MLP && !s->noise_type) { + av_log(m->avctx, AV_LOG_ERROR, + "Number of channels %d is larger than the maximum supported " + "by the decoder. %s\n", s->max_channel+2, sample_message); + return -1; + } + if (s->min_channel > s->max_channel) { av_log(m->avctx, AV_LOG_ERROR, "Substream min channel cannot be greater than max channel.\n");