# HG changeset patch # User mru # Date 1277562861 0 # Node ID f092b80c0da24b35120f7a5f65597de58270b843 # Parent 74c0478534cfbed531d0dc4cd7a16311508e3fcf shorten: remove VLA and check for buffer overflow diff -r 74c0478534cf -r f092b80c0da2 shorten.c --- a/shorten.c Sat Jun 26 14:34:18 2010 +0000 +++ b/shorten.c Sat Jun 26 14:34:21 2010 +0000 @@ -83,6 +83,7 @@ int32_t *decoded[MAX_CHANNELS]; int32_t *offset[MAX_CHANNELS]; + int *coeffs; uint8_t *bitstream; int bitstream_size; int bitstream_index; @@ -112,6 +113,8 @@ static int allocate_buffers(ShortenContext *s) { int i, chan; + int *coeffs; + for (chan=0; chanchannels; chan++) { if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){ av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n"); @@ -129,6 +132,12 @@ s->decoded[chan][i] = 0; s->decoded[chan] += s->nwrap; } + + coeffs = av_realloc(s->coeffs, s->nwrap * sizeof(*s->coeffs)); + if (!coeffs) + return AVERROR(ENOMEM); + s->coeffs = coeffs; + return 0; } @@ -253,7 +262,7 @@ static void decode_subframe_lpc(ShortenContext *s, int channel, int residual_size, int pred_order) { int sum, i, j; - int coeffs[pred_order]; + int *coeffs = s->coeffs; for (i=0; igb, LPCQUANT); @@ -427,6 +436,12 @@ case FN_QLPC: { int pred_order = get_ur_golomb_shorten(&s->gb, LPCQSIZE); + if (pred_order > s->nwrap) { + av_log(avctx, AV_LOG_ERROR, + "invalid pred_order %d\n", + pred_order); + return -1; + } for (i=0; idecoded[channel][i - pred_order] -= coffset; decode_subframe_lpc(s, channel, residual_size, pred_order); @@ -515,6 +530,7 @@ av_freep(&s->offset[i]); } av_freep(&s->bitstream); + av_freep(&s->coeffs); return 0; }