# HG changeset patch
# User jbr
# Date 1228706000 0
# Node ID 6c2dcc1410bbc1572997e4159da6c4791cdde25b
# Parent  24a49d3fdc3bef2028174e4bd14426bd5bd46ce0
ac3: detect dba errors and prevent writing past end of array

diff -r 24a49d3fdc3b -r 6c2dcc1410bb ac3.c
--- a/ac3.c	Sun Dec 07 16:30:08 2008 +0000
+++ b/ac3.c	Mon Dec 08 03:13:20 2008 +0000
@@ -80,7 +80,7 @@
     } while (end > band_start_tab[k]);
 }
 
-void ff_ac3_bit_alloc_calc_mask(AC3BitAllocParameters *s, int16_t *band_psd,
+int ff_ac3_bit_alloc_calc_mask(AC3BitAllocParameters *s, int16_t *band_psd,
                                 int start, int end, int fast_gain, int is_lfe,
                                 int dba_mode, int dba_nsegs, uint8_t *dba_offsets,
                                 uint8_t *dba_lengths, uint8_t *dba_values,
@@ -156,9 +156,13 @@
 
     if (dba_mode == DBA_REUSE || dba_mode == DBA_NEW) {
         int band, seg, delta;
+        if (dba_nsegs >= 8)
+            return -1;
         band = 0;
-        for (seg = 0; seg < FFMIN(8, dba_nsegs); seg++) {
-            band = FFMIN(49, band + dba_offsets[seg]);
+        for (seg = 0; seg < dba_nsegs; seg++) {
+            band += dba_offsets[seg];
+            if (band >= 50 || dba_lengths[seg] > 50-band)
+                return -1;
             if (dba_values[seg] >= 4) {
                 delta = (dba_values[seg] - 3) << 7;
             } else {
@@ -170,6 +174,7 @@
             }
         }
     }
+    return 0;
 }
 
 void ff_ac3_bit_alloc_calc_bap(int16_t *mask, int16_t *psd, int start, int end,
diff -r 24a49d3fdc3b -r 6c2dcc1410bb ac3.h
--- a/ac3.h	Sun Dec 07 16:30:08 2008 +0000
+++ b/ac3.h	Mon Dec 08 03:13:20 2008 +0000
@@ -149,8 +149,9 @@
  * @param[in]  dba_lengths  length of each segment
  * @param[in]  dba_values   delta bit allocation for each segment
  * @param[out] mask         calculated masking curve
+ * @return returns 0 for success, non-zero for error
  */
-void ff_ac3_bit_alloc_calc_mask(AC3BitAllocParameters *s, int16_t *band_psd,
+int ff_ac3_bit_alloc_calc_mask(AC3BitAllocParameters *s, int16_t *band_psd,
                                 int start, int end, int fast_gain, int is_lfe,
                                 int dba_mode, int dba_nsegs, uint8_t *dba_offsets,
                                 uint8_t *dba_lengths, uint8_t *dba_values,
diff -r 24a49d3fdc3b -r 6c2dcc1410bb ac3dec.c
--- a/ac3dec.c	Sun Dec 07 16:30:08 2008 +0000
+++ b/ac3dec.c	Mon Dec 08 03:13:20 2008 +0000
@@ -1133,12 +1133,15 @@
         if(bit_alloc_stages[ch] > 1) {
             /* Compute excitation function, Compute masking curve, and
                Apply delta bit allocation */
-            ff_ac3_bit_alloc_calc_mask(&s->bit_alloc_params, s->band_psd[ch],
+            if (ff_ac3_bit_alloc_calc_mask(&s->bit_alloc_params, s->band_psd[ch],
                                        s->start_freq[ch], s->end_freq[ch],
                                        s->fast_gain[ch], (ch == s->lfe_ch),
                                        s->dba_mode[ch], s->dba_nsegs[ch],
                                        s->dba_offsets[ch], s->dba_lengths[ch],
-                                       s->dba_values[ch], s->mask[ch]);
+                                       s->dba_values[ch], s->mask[ch])) {
+                av_log(s->avctx, AV_LOG_ERROR, "error in bit allocation\n");
+                return -1;
+            }
         }
         if(bit_alloc_stages[ch] > 0) {
             /* Compute bit allocation */