[FFmpeg-cvslog] avcodec/ac3dec: check bap before use.
Michael Niedermayer
git at videolan.org
Wed Jan 8 01:27:50 CET 2014
ffmpeg | branch: release/2.1 | Michael Niedermayer <michaelni at gmx.at> | Mon Nov 25 23:16:17 2013 +0100| [c094aec76e291dccf46239a2e221f16d695452d1] | committer: Michael Niedermayer
avcodec/ac3dec: check bap before use.
Fixes out of array read
Fixes assertion failure
Fixes asan_static-oob_16431c0_8036_rio_bravo_mono_64_spx.ac3
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit 4782c4284fa3856a9b6910fe5ff6e4fb1c65b58c)
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c094aec76e291dccf46239a2e221f16d695452d1
---
libavcodec/ac3dec.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c
index f91ded0..2acd209 100644
--- a/libavcodec/ac3dec.c
+++ b/libavcodec/ac3dec.c
@@ -488,6 +488,10 @@ static void ac3_decode_transform_coeffs_ch(AC3DecodeContext *s, int ch_index, ma
break;
default: /* 6 to 15 */
/* Shift mantissa and sign-extend it. */
+ if (bap > 15) {
+ av_log(s->avctx, AV_LOG_ERROR, "bap %d is invalid in plain AC-3\n", bap);
+ bap = 15;
+ }
mantissa = get_sbits(gbc, quantization_tab[bap]);
mantissa <<= 24 - quantization_tab[bap];
break;
More information about the ffmpeg-cvslog
mailing list