Mercurial > libavcodec.hg
comparison wmavoice.c @ 12381:2ba9068e748d libavcodec
Fix buffer overrun if idx is negative (it can be down to -23>>4), by prepending
two padding zeroes before it. Should fix fate failures on openBSD and crashes
on MacOSX (that I cannot reproduce).
| author | rbultje |
|---|---|
| date | Mon, 09 Aug 2010 13:54:59 +0000 |
| parents | 7323559a53fd |
| children |
comparison
equal
deleted
inserted
replaced
| 12380:e402b74c4b62 | 12381:2ba9068e748d |
|---|---|
| 1031 * @param fcb structure containing fixed codebook vector info | 1031 * @param fcb structure containing fixed codebook vector info |
| 1032 */ | 1032 */ |
| 1033 static void aw_pulse_set2(WMAVoiceContext *s, GetBitContext *gb, | 1033 static void aw_pulse_set2(WMAVoiceContext *s, GetBitContext *gb, |
| 1034 int block_idx, AMRFixed *fcb) | 1034 int block_idx, AMRFixed *fcb) |
| 1035 { | 1035 { |
| 1036 uint16_t use_mask[7]; // only 5 are used, rest is padding | 1036 uint16_t use_mask_mem[9]; // only 5 are used, rest is padding |
| 1037 uint16_t *use_mask = use_mask_mem + 2; | |
| 1037 /* in this function, idx is the index in the 80-bit (+ padding) use_mask | 1038 /* in this function, idx is the index in the 80-bit (+ padding) use_mask |
| 1038 * bit-array. Since use_mask consists of 16-bit values, the lower 4 bits | 1039 * bit-array. Since use_mask consists of 16-bit values, the lower 4 bits |
| 1039 * of idx are the position of the bit within a particular item in the | 1040 * of idx are the position of the bit within a particular item in the |
| 1040 * array (0 being the most significant bit, and 15 being the least | 1041 * array (0 being the most significant bit, and 15 being the least |
| 1041 * significant bit), and the remainder (>> 4) is the index in the | 1042 * significant bit), and the remainder (>> 4) is the index in the |
| 1063 pulse_start = s->aw_n_pulses[block_idx] > 0 ? pulse_off - range / 2 : 0; | 1064 pulse_start = s->aw_n_pulses[block_idx] > 0 ? pulse_off - range / 2 : 0; |
| 1064 | 1065 |
| 1065 /* aw_pulse_set1() already applies pulses around pulse_off (to be exactly, | 1066 /* aw_pulse_set1() already applies pulses around pulse_off (to be exactly, |
| 1066 * in the range of [pulse_off, pulse_off + s->aw_pulse_range], and thus | 1067 * in the range of [pulse_off, pulse_off + s->aw_pulse_range], and thus |
| 1067 * we exclude that range from being pulsed again in this function. */ | 1068 * we exclude that range from being pulsed again in this function. */ |
| 1069 memset(&use_mask[-2], 0, 2 * sizeof(use_mask[0])); | |
| 1068 memset( use_mask, -1, 5 * sizeof(use_mask[0])); | 1070 memset( use_mask, -1, 5 * sizeof(use_mask[0])); |
| 1069 memset(&use_mask[5], 0, 2 * sizeof(use_mask[0])); | 1071 memset(&use_mask[5], 0, 2 * sizeof(use_mask[0])); |
| 1070 if (s->aw_n_pulses[block_idx] > 0) | 1072 if (s->aw_n_pulses[block_idx] > 0) |
| 1071 for (idx = pulse_off; idx < MAX_FRAMESIZE / 2; idx += fcb->pitch_lag) { | 1073 for (idx = pulse_off; idx < MAX_FRAMESIZE / 2; idx += fcb->pitch_lag) { |
| 1072 int excl_range = s->aw_pulse_range; // always 16 or 24 | 1074 int excl_range = s->aw_pulse_range; // always 16 or 24 |