[FFmpeg-cvslog] ac3: validate end in ff_ac3_bit_alloc_calc_mask
Andreas Cadhalpun
git at videolan.org
Thu Apr 16 23:05:08 CEST 2015
ffmpeg | branch: master | Andreas Cadhalpun <andreas.cadhalpun at googlemail.com> | Thu Apr 16 21:25:26 2015 +0200| [bc4fee7f2a51635fa3c0f61d1e5164da1efeded3] | committer: Michael Niedermayer
ac3: validate end in ff_ac3_bit_alloc_calc_mask
This fixes an invalid read if end is 0:
band_end = ff_ac3_bin_to_band_tab[end-1] + 1;
Depending on what is before the array, this can cause stack smashing,
when band_end becomes too large.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bc4fee7f2a51635fa3c0f61d1e5164da1efeded3
---
libavcodec/ac3.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavcodec/ac3.c b/libavcodec/ac3.c
index c4fc77c..b54315d 100644
--- a/libavcodec/ac3.c
+++ b/libavcodec/ac3.c
@@ -131,6 +131,9 @@ int ff_ac3_bit_alloc_calc_mask(AC3BitAllocParameters *s, int16_t *band_psd,
int band_start, band_end, begin, end1;
int lowcomp, fastleak, slowleak;
+ if (end <= 0)
+ return AVERROR_INVALIDDATA;
+
/* excitation function */
band_start = ff_ac3_bin_to_band_tab[start];
band_end = ff_ac3_bin_to_band_tab[end-1] + 1;
More information about the ffmpeg-cvslog
mailing list