[FFmpeg-devel] [PATCH] opus_silk: fix out of array read in silk_lsf2lpc

Andreas Cadhalpun andreas.cadhalpun at googlemail.com
Tue Dec 15 01:15:58 CET 2015


On 14.12.2015 23:14, Michael Niedermayer wrote:
> On Mon, Dec 14, 2015 at 08:43:38PM +0100, Andreas Cadhalpun wrote:
>>  opus_silk.c |    2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>> cc0c02e14c1bda0ab35813c8d4629e742af7d23f  0001-opus_silk-fix-int16_t-overflow-in-silk_stabilize_lsf.patch
>> From 958789a66e6f55e05ab3d8e945b8ff899680c073 Mon Sep 17 00:00:00 2001
>> From: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
>> Date: Mon, 14 Dec 2015 20:31:41 +0100
>> Subject: [PATCH] opus_silk: fix int16_t overflow in silk_stabilize_lsf
>>
>> nlsf[i - 1] + min_delta[i] can be larger than INT16_MAX, causing nlsf to
>> be set to a negative value. However, it is not supposed to be negative
>> and if it is, it causes an out of bounds read in silk_lsf2lpc.
>>
>> Since min_delta is unsigned, the overflow only happens when the result
>> of the addition is assigned to nlsf, so that the FFMIN solves the
>> problem.
>>
>> Even though the specification implies that the value of nlfs can be
>> larger than INT16_MAX at this intermediary point, it is reduced to the
>> int16_t range in the next loop, the result of which doesn't change if
>> the too large intermediary values are replaced by INT16_MAX.
>>
>> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
>> ---
>>  libavcodec/opus_silk.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> should be ok

I assume you don't mind the change to av_clip_int16, or do you?

Best regards,
Andreas



More information about the ffmpeg-devel mailing list