Fix an exploit in indeo by checking we are not writing out of the strip array.

[ffmpeg] / libavcodec / aac_ac3_parser.c

diff --git a/libavcodec/aac_ac3_parser.c b/libavcodec/aac_ac3_parser.c
index f28f3f26782b382d15338878ce9759299a0354eb..fedabdf8153cb42353c4644be5cd4fdbd2b7cce9 100644 (file)
--- a/libavcodec/aac_ac3_parser.c
+++ b/libavcodec/aac_ac3_parser.c
@@ -1,7 +1,7 @@
 /*
- * Common AAC and AC3 parser
- * Copyright (c) 2003 Fabrice Bellard.
- * Copyright (c) 2003 Michael Niedermayer.
+ * Common AAC and AC-3 parser
+ * Copyright (c) 2003 Fabrice Bellard
+ * Copyright (c) 2003 Michael Niedermayer
  *
  * This file is part of FFmpeg.
  *
@@ -49,9 +49,10 @@ get_next:
             if(len<=0){
                 i=END_NOT_FOUND;
             }else{
+                s->state=0;
                 i-= s->header_size -1;
                 s->remaining_size = len;
-                if(!new_frame_start){
+                if(!new_frame_start || pc->index+i<=0){
                     s->remaining_size += i;
                     goto get_next;
                 }
@@ -71,12 +72,13 @@ get_next:
 
     /* update codec info */
     avctx->sample_rate = s->sample_rate;
-    /* allow downmixing to stereo (or mono for AC3) */
+    /* allow downmixing to stereo (or mono for AC-3) */
     if(avctx->request_channels > 0 &&
             avctx->request_channels < s->channels &&
             (avctx->request_channels <= 2 ||
             (avctx->request_channels == 1 &&
-            avctx->codec_id == CODEC_ID_AC3))) {
+            (avctx->codec_id == CODEC_ID_AC3 ||
+             avctx->codec_id == CODEC_ID_EAC3)))) {
         avctx->channels = avctx->request_channels;
     } else {
         avctx->channels = s->channels;