[vlc-commits] faad: Fix potential stack buffer overflow
Hugo Beauzée-Luyssen
git at videolan.org
Thu May 23 17:21:02 CEST 2019
vlc | branch: master | Hugo Beauzée-Luyssen <hugo at beauzee.fr> | Tue Mar 5 15:55:29 2019 +0100| [f256bf045c2b1f7395f61b2039a67f18aee66673] | committer: Hugo Beauzée-Luyssen
faad: Fix potential stack buffer overflow
DoReordering is bound by frame.channels, but the source array was bound
by AOUT_MAX_CHAN
https://hackerone.com/reports/503208
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=f256bf045c2b1f7395f61b2039a67f18aee66673
---
modules/codec/faad.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/modules/codec/faad.c b/modules/codec/faad.c
index ce537c8446..55dfa38e41 100644
--- a/modules/codec/faad.c
+++ b/modules/codec/faad.c
@@ -514,13 +514,13 @@ static int DecodeBlock( decoder_t *p_dec, block_t *p_block )
/* Convert frame.channel_position to our own channel values */
p_dec->fmt_out.audio.i_physical_channels = 0;
- uint8_t pi_neworder_table[AOUT_CHAN_MAX];
- uint32_t pi_faad_channels_positions[FAAD_CHANNEL_ID_COUNT + 1] = {0};
+ uint8_t pi_neworder_table[64] = {0};
+ uint32_t pi_faad_channels_positions[64 + 1] = {0};
bool b_reorder = false;
if (p_dec->fmt_out.audio.channel_type == AUDIO_CHANNEL_TYPE_BITMAP)
{
- for( size_t i = 0; i < frame.channels && i < FAAD_CHANNEL_ID_COUNT; i++ )
+ for( size_t i = 0; i < frame.channels; i++ )
{
unsigned pos = frame.channel_position[i];
if( likely(pos < FAAD_CHANNEL_ID_COUNT) )
More information about the vlc-commits
mailing list