Mercurial > libavcodec.hg
diff ac3.c @ 8279:6c2dcc1410bb libavcodec
ac3: detect dba errors and prevent writing past end of array
| author | jbr |
|---|---|
| date | Mon, 08 Dec 2008 03:13:20 +0000 |
| parents | 1a93d3bbe3ee |
| children | 63aba08af550 |
line wrap: on
line diff
--- a/ac3.c Sun Dec 07 16:30:08 2008 +0000 +++ b/ac3.c Mon Dec 08 03:13:20 2008 +0000 @@ -80,7 +80,7 @@ } while (end > band_start_tab[k]); } -void ff_ac3_bit_alloc_calc_mask(AC3BitAllocParameters *s, int16_t *band_psd, +int ff_ac3_bit_alloc_calc_mask(AC3BitAllocParameters *s, int16_t *band_psd, int start, int end, int fast_gain, int is_lfe, int dba_mode, int dba_nsegs, uint8_t *dba_offsets, uint8_t *dba_lengths, uint8_t *dba_values, @@ -156,9 +156,13 @@ if (dba_mode == DBA_REUSE || dba_mode == DBA_NEW) { int band, seg, delta; + if (dba_nsegs >= 8) + return -1; band = 0; - for (seg = 0; seg < FFMIN(8, dba_nsegs); seg++) { - band = FFMIN(49, band + dba_offsets[seg]); + for (seg = 0; seg < dba_nsegs; seg++) { + band += dba_offsets[seg]; + if (band >= 50 || dba_lengths[seg] > 50-band) + return -1; if (dba_values[seg] >= 4) { delta = (dba_values[seg] - 3) << 7; } else { @@ -170,6 +174,7 @@ } } } + return 0; } void ff_ac3_bit_alloc_calc_bap(int16_t *mask, int16_t *psd, int start, int end,