[FFmpeg-devel] [PATCH] ac3: validate end in ff_ac3_bit_alloc_calc_mask

Andreas Cadhalpun andreas.cadhalpun at googlemail.com
Thu Apr 16 23:56:28 CEST 2015


On 16.04.2015 23:04, Michael Niedermayer wrote:
> On Thu, Apr 16, 2015 at 09:25:26PM +0200, Andreas Cadhalpun wrote:
>> This fixes an invalid read if end is 0:
>>      band_end   = ff_ac3_bin_to_band_tab[end-1] + 1;
>>
>> Depending on what is before the array, this can cause stack smashing,
>> when band_end becomes too large.
>>
>> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
>> ---
>>  libavcodec/ac3.c | 3 +++
>>  1 file changed, 3 insertions(+)
> 
> i think it would be better to (also) error out earlier when end_freq
> would not be set to a valid value

I don't think it's possible to error out much earlier. One could add a
check in ac3dec directly before calling ff_ac3_bit_alloc_calc_mask, but
that would save just one function call.
Whether that function is called depends on 'bit_alloc_stages[ch] > 1'
and bit_alloc_stages is determined just a few lines before that call.

On the other hand maybe that function shouldn't be called at all in
the 's->exp_strategy[blk][ch] == EXP_REUSE' case?

> but checking in ff_ac3_bit_alloc_calc_mask() is possibly more robust
> so applied

Yes, it's more robust and the function is also called from the encoder.

Best regards,
Andreas


More information about the ffmpeg-devel mailing list