[FFmpeg-trac] #7994(undetermined:new): undefined-behavior at libavcodec/ac3enc.c and heap buffer overflow at zmbvenc.c:97

FFmpeg trac at avcodec.org
Thu Jul 4 10:34:31 EEST 2019


#7994: undefined-behavior at libavcodec/ac3enc.c and heap buffer overflow at
zmbvenc.c:97
-------------------------------------+-------------------------------------
             Reporter:  Suhwan       |                     Type:  defect
               Status:  new          |                 Priority:  normal
            Component:               |                  Version:  git-
  undetermined                       |  master
             Keywords:  ubsan        |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
 Summary of the bug:
 There're an undefined-behavior at libavcodec/ac3enc.c:1068:37 and a heap
 buffer overflow at zmbvenc.c:97.

 How to reproduce:
 {{{
 % ffmpeg_g  -y -r 79 -i tmp.webm -map 0 -c:v zmbv -c:v:80 asv1
 -disposition:v:60 zmbv -disposition:s pcm_s8 -ab 962 -ar 48000 -ac 10 -b:v
 399k tmp_.avi

 ffmpeg version : N-94163-g664a27ea40
 built with clang version 9.0.0
 }}}


 {{{
 1064 static int bit_alloc(AC3EncodeContext *s, int snr_offset)
 1065 {
 1066     int blk, ch;
 1067
 1068     snr_offset = (snr_offset - 240) << 2;
 1069
 1070     reset_block_bap(s);
 1071     for (blk = 0; blk < s->num_blocks; blk++) {
 1072         AC3Block *block = &s->blocks[blk];
 1073
 1074         for (ch = !block->cpl_in_use; ch <= s->channels; ch++) {
 1075             /* Currently the only bit allocation parameters which
 vary across
 1076                blocks within a frame are the exponent values.  We can
 take
 1077                advantage of that by reusing the bit allocation
 pointers
 1078                whenever we reuse exponents. */
 1079             if (s->exp_strategy[ch][blk] != EXP_REUSE) {
 1080                 s->ac3dsp.bit_alloc_calc_bap(block->mask[ch],
 block->psd[ch],
 1081                                              s->start_freq[ch],
 block->end_freq[ch],
 1082                                              snr_offset,
 s->bit_alloc.floor,
 1083                                              ff_ac3_bap_tab,
 s->ref_bap[ch][blk]);
 1084             }
 1085         }
 1086     }
 1087     return count_mantissa_bits(s);
 1088 }

 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/7994>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list