[FFmpeg-cvslog] avcodec/apedec: Check length in long_filter_high_3800()
Michael Niedermayer
git at videolan.org
Sun Dec 6 12:57:26 CET 2015
ffmpeg | branch: release/2.4 | Michael Niedermayer <michael at niedermayer.cc> | Wed Dec 2 21:16:27 2015 +0100| [ce15d773d4f7a3f224342b5eb9ccad93c71421e6] | committer: Michael Niedermayer
avcodec/apedec: Check length in long_filter_high_3800()
Fixes out of array read
Fixes: 0a7ff0c1d93da9cef28a315ec91b692a/asan_heap-oob_4a52e5_3604_9c56dbb20e308f4faeef7b35f688521a.ape
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit cd7524fdd13dc8d0cf22e2cfd8300a245542b13a)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ce15d773d4f7a3f224342b5eb9ccad93c71421e6
---
libavcodec/apedec.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c
index 577d0aa..7893bc3 100644
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -905,6 +905,9 @@ static void long_filter_high_3800(int32_t *buffer, int order, int shift,
int i, j;
int32_t dotprod, sign;
+ if (order >= length)
+ return;
+
memset(coeffs, 0, order * sizeof(*coeffs));
for (i = 0; i < order; i++)
delay[i] = buffer[i];
More information about the ffmpeg-cvslog
mailing list