Mercurial > libavcodec.hg

changeset 8279:6c2dcc1410bb libavcodec

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
ac3: detect dba errors and prevent writing past end of array
author jbr
date Mon, 08 Dec 2008 03:13:20 +0000
parents 24a49d3fdc3b
children 63aba08af550
files ac3.c ac3.h ac3dec.c
diffstat 3 files changed, 15 insertions(+), 6 deletions(-) [+]
line wrap: on
line diff
--- a/ac3.c	Sun Dec 07 16:30:08 2008 +0000
+++ b/ac3.c	Mon Dec 08 03:13:20 2008 +0000
@@ -80,7 +80,7 @@
     } while (end > band_start_tab[k]);
 }
 
-void ff_ac3_bit_alloc_calc_mask(AC3BitAllocParameters *s, int16_t *band_psd,
+int ff_ac3_bit_alloc_calc_mask(AC3BitAllocParameters *s, int16_t *band_psd,
                                 int start, int end, int fast_gain, int is_lfe,
                                 int dba_mode, int dba_nsegs, uint8_t *dba_offsets,
                                 uint8_t *dba_lengths, uint8_t *dba_values,
@@ -156,9 +156,13 @@
 
     if (dba_mode == DBA_REUSE || dba_mode == DBA_NEW) {
         int band, seg, delta;
+        if (dba_nsegs >= 8)
+            return -1;
         band = 0;
-        for (seg = 0; seg < FFMIN(8, dba_nsegs); seg++) {
-            band = FFMIN(49, band + dba_offsets[seg]);
+        for (seg = 0; seg < dba_nsegs; seg++) {
+            band += dba_offsets[seg];
+            if (band >= 50 || dba_lengths[seg] > 50-band)
+                return -1;
             if (dba_values[seg] >= 4) {
                 delta = (dba_values[seg] - 3) << 7;
             } else {
@@ -170,6 +174,7 @@
             }
         }
     }
+    return 0;
 }
 
 void ff_ac3_bit_alloc_calc_bap(int16_t *mask, int16_t *psd, int start, int end,
--- a/ac3.h	Sun Dec 07 16:30:08 2008 +0000
+++ b/ac3.h	Mon Dec 08 03:13:20 2008 +0000
@@ -149,8 +149,9 @@
  * @param[in]  dba_lengths  length of each segment
  * @param[in]  dba_values   delta bit allocation for each segment
  * @param[out] mask         calculated masking curve
+ * @return returns 0 for success, non-zero for error
  */
-void ff_ac3_bit_alloc_calc_mask(AC3BitAllocParameters *s, int16_t *band_psd,
+int ff_ac3_bit_alloc_calc_mask(AC3BitAllocParameters *s, int16_t *band_psd,
                                 int start, int end, int fast_gain, int is_lfe,
                                 int dba_mode, int dba_nsegs, uint8_t *dba_offsets,
                                 uint8_t *dba_lengths, uint8_t *dba_values,
--- a/ac3dec.c	Sun Dec 07 16:30:08 2008 +0000
+++ b/ac3dec.c	Mon Dec 08 03:13:20 2008 +0000
@@ -1133,12 +1133,15 @@
         if(bit_alloc_stages[ch] > 1) {
             /* Compute excitation function, Compute masking curve, and
                Apply delta bit allocation */
-            ff_ac3_bit_alloc_calc_mask(&s->bit_alloc_params, s->band_psd[ch],
+            if (ff_ac3_bit_alloc_calc_mask(&s->bit_alloc_params, s->band_psd[ch],
                                        s->start_freq[ch], s->end_freq[ch],
                                        s->fast_gain[ch], (ch == s->lfe_ch),
                                        s->dba_mode[ch], s->dba_nsegs[ch],
                                        s->dba_offsets[ch], s->dba_lengths[ch],
-                                       s->dba_values[ch], s->mask[ch]);
+                                       s->dba_values[ch], s->mask[ch])) {
+                av_log(s->avctx, AV_LOG_ERROR, "error in bit allocation\n");
+                return -1;
+            }
         }
         if(bit_alloc_stages[ch] > 0) {
             /* Compute bit allocation */