[FFmpeg-devel] [PATCH] opus_silk: fix out of array read in silk_lsf2lpc

Michael Niedermayer michaelni at gmx.at
Tue Dec 15 03:18:11 CET 2015 

On Tue, Dec 15, 2015 at 01:15:58AM +0100, Andreas Cadhalpun wrote:
> On 14.12.2015 23:14, Michael Niedermayer wrote:
> > On Mon, Dec 14, 2015 at 08:43:38PM +0100, Andreas Cadhalpun wrote:
> >>  opus_silk.c |    2 +-
> >>  1 file changed, 1 insertion(+), 1 deletion(-)
> >> cc0c02e14c1bda0ab35813c8d4629e742af7d23f  0001-opus_silk-fix-int16_t-overflow-in-silk_stabilize_lsf.patch
> >> From 958789a66e6f55e05ab3d8e945b8ff899680c073 Mon Sep 17 00:00:00 2001
> >> From: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> >> Date: Mon, 14 Dec 2015 20:31:41 +0100
> >> Subject: [PATCH] opus_silk: fix int16_t overflow in silk_stabilize_lsf
> >>
> >> nlsf[i - 1] + min_delta[i] can be larger than INT16_MAX, causing nlsf to
> >> be set to a negative value. However, it is not supposed to be negative
> >> and if it is, it causes an out of bounds read in silk_lsf2lpc.
> >>
> >> Since min_delta is unsigned, the overflow only happens when the result
> >> of the addition is assigned to nlsf, so that the FFMIN solves the
> >> problem.
> >>
> >> Even though the specification implies that the value of nlfs can be
> >> larger than INT16_MAX at this intermediary point, it is reduced to the
> >> int16_t range in the next loop, the result of which doesn't change if
> >> the too large intermediary values are replaced by INT16_MAX.
> >>
> >> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> >> ---
> >>  libavcodec/opus_silk.c | 2 +-
> >>  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > should be ok
> 
> I assume you don't mind the change to av_clip_int16, or do you?

no objections to av_clip_int16

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

No snowflake in an avalanche ever feels responsible. -- Voltaire
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20151215/ed14a42f/attachment.sig>

More information about the ffmpeg-devel mailing list