From d57b0971987598c73ce96c9026d422c94712caae Mon Sep 17 00:00:00 2001
From: Tim-Philipp Müller <tim@centricular.com>
Date: Sat, 26 Sep 2015 09:23:05 +0100
Subject: dvdlpcmdec: fix invalid read beyond channel position array

We would always copy sizeof(sorted_position) bytes, which is
for 8 channels, but if we have less than 8 channels the
position array we copy from will only have allocated space
for channel channels, so we would read beyond the input
array in some cases.
---
 gst/dvdlpcmdec/gstdvdlpcmdec.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'gst')

diff --git a/gst/dvdlpcmdec/gstdvdlpcmdec.c b/gst/dvdlpcmdec/gstdvdlpcmdec.c
index b7b6039b27..69c395f6b5 100644
--- a/gst/dvdlpcmdec/gstdvdlpcmdec.c
+++ b/gst/dvdlpcmdec/gstdvdlpcmdec.c
@@ -250,10 +250,12 @@ gst_dvdlpcmdec_update_audio_formats (GstDvdLpcmDec * dec, gint channels,
       GST_AUDIO_CHANNEL_POSITION_INVALID) {
     const GstAudioChannelPosition *position;
     GstAudioChannelPosition sorted_position[8];
+    guint c;
 
     position = channel_positions[channels - 1];
     dec->lpcm_layout = position;
-    memcpy (sorted_position, position, sizeof (sorted_position));
+    for (c = 0; c < channels; ++c)
+      sorted_position[c] = position[c];
     gst_audio_channel_positions_to_valid_order (sorted_position, channels);
     gst_audio_info_set_format (&dec->info, format, rate, channels,
         sorted_position);
-- 
cgit v1.2.3-70-g09d2