From 4e06acbde4a75cf9aa6a3e46dd3a7c6ed1ecfb8f Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 26 Feb 2010 18:50:01 +0000 Subject: [PATCH] Fixed a segfault in the DCA decoder with corrupted streams. It happens when the number of channels defined by DCAContext:acmod is lower than DCAContext:prim_channels. In this case, dca_subsubframe() will call qmf_32_subbands() using s->channel_order_tab[] entries equal to -1. Originally committed as revision 22083 to svn://svn.ffmpeg.org/ffmpeg/trunk --- libavcodec/dca.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/dca.c b/libavcodec/dca.c index 20d7144c2c..e10ced7221 100644 --- a/libavcodec/dca.c +++ b/libavcodec/dca.c @@ -1244,6 +1244,10 @@ static int dca_decode_frame(AVCodecContext * avctx, } else s->channel_order_tab = dca_channel_reorder_nolfe[s->amode]; + if (s->prim_channels > 0 && + s->channel_order_tab[s->prim_channels - 1] < 0) + return -1; + if(avctx->request_channels == 2 && s->prim_channels > 2) { channels = 2; s->output = DCA_STEREO;