[FFmpeg-devel] [PATCH] aaccoder: prevent crash of anmr coder
Andreas Cadhalpun
andreas.cadhalpun at googlemail.com
Sun Dec 6 22:36:05 CET 2015
On 05.12.2015 02:58, Claudio Freire wrote:
> Alright, I see what's going on. minscaler-maxscaler and/or q0-q1 are
> empty ranges, so that results in no possible solutions.
>
> I pushed a fix for that, leaving your "safety net" intact.
Thanks.
> You may wish to re-fuzz ;)
I did that and found more issues, this time also affecting the twoloop encoder.
One is an out-of-bounds read in avoid_clipping, which is caused by
ics->max_sfb being larger than ics->num_swb. I've sent a patch for that.
The other is a regression since 01ecb71, so I hope you know how to fix that.
In search_for_pns in libavcodec/aaccoder.c:
for (w = 0; w < sce->ics.num_windows; w += sce->ics.group_len[w]) {
[...]
for (g = 0; g < sce->ics.num_swb; g++) {
[...]
for (w2 = 0; w2 < sce->ics.group_len[w]; w2++) {
[...]
}
if (g && sce->sf_idx[(w+w2)*16+g-1] == NOISE_BT) {
At this point w+w2 can be sce->ics.num_windows, which causes an
out-of-bounds read.
Best regards,
Andreas
More information about the ffmpeg-devel
mailing list