From: Michael Niedermayer <michaelni@gmx.at>
Date: Wed, 12 Dec 2012 13:09:19 +0000 (+0100)
Subject: avfilter_get_video_buffer_ref_from_frame: check channel count
X-Git-Tag: android-x86-4.4-r1~7275
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=5a4eb6aa275e4c1b80e1e125a7901903e35219f2;p=android-x86%2Fexternal-ffmpeg.git

avfilter_get_video_buffer_ref_from_frame: check channel count

more than 8 channels is not supported and crashes with null pointer dereference

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---

diff --git a/libavfilter/avcodec.c b/libavfilter/avcodec.c
index 688f1b397a..705cf80ca5 100644
--- a/libavfilter/avcodec.c
+++ b/libavfilter/avcodec.c
@@ -92,8 +92,12 @@ AVFilterBufferRef *avfilter_get_video_buffer_ref_from_frame(const AVFrame *frame
 AVFilterBufferRef *avfilter_get_audio_buffer_ref_from_frame(const AVFrame *frame,
                                                             int perms)
 {
-    AVFilterBufferRef *samplesref =
-        avfilter_get_audio_buffer_ref_from_arrays((uint8_t **)frame->data, frame->linesize[0], perms,
+    AVFilterBufferRef *samplesref;
+
+    if(av_frame_get_channels(frame) > 8) // libavfilter does not suport more than 8 channels FIXME, remove once libavfilter is fixed
+        return NULL;
+
+    samplesref = avfilter_get_audio_buffer_ref_from_arrays((uint8_t **)frame->data, frame->linesize[0], perms,
                                                   frame->nb_samples, frame->format,
                                                   av_frame_get_channel_layout(frame));
     if (!samplesref)