Fix an exploit in indeo by checking we are not writing out of the strip array.

[ffmpeg] / libavcodec / aac_ac3_parser.c

diff --git a/libavcodec/aac_ac3_parser.c b/libavcodec/aac_ac3_parser.c
index cfb1a222be3b0e4b9beb06a4db649232e57049a6..fedabdf8153cb42353c4644be5cd4fdbd2b7cce9 100644 (file)
--- a/libavcodec/aac_ac3_parser.c
+++ b/libavcodec/aac_ac3_parser.c
@@ -1,7 +1,7 @@
 /*
  * Common AAC and AC-3 parser
- * Copyright (c) 2003 Fabrice Bellard.
- * Copyright (c) 2003 Michael Niedermayer.
+ * Copyright (c) 2003 Fabrice Bellard
+ * Copyright (c) 2003 Michael Niedermayer
  *
  * This file is part of FFmpeg.
  *
@@ -49,9 +49,10 @@ get_next:
             if(len<=0){
                 i=END_NOT_FOUND;
             }else{
+                s->state=0;
                 i-= s->header_size -1;
                 s->remaining_size = len;
-                if(!new_frame_start){
+                if(!new_frame_start || pc->index+i<=0){
                     s->remaining_size += i;
                     goto get_next;
                 }
@@ -76,7 +77,8 @@ get_next:
             avctx->request_channels < s->channels &&
             (avctx->request_channels <= 2 ||
             (avctx->request_channels == 1 &&
-            avctx->codec_id == CODEC_ID_AC3))) {
+            (avctx->codec_id == CODEC_ID_AC3 ||
+             avctx->codec_id == CODEC_ID_EAC3)))) {
         avctx->channels = avctx->request_channels;
     } else {
         avctx->channels = s->channels;