[FFmpeg-cvslog] r24750 - trunk/libavcodec/wmavoice.c
rbultje
subversion
Mon Aug 9 15:54:59 CEST 2010
Author: rbultje
Date: Mon Aug 9 15:54:59 2010
New Revision: 24750
Log:
Fix buffer overrun if idx is negative (it can be down to -23>>4), by prepending
two padding zeroes before it. Should fix fate failures on openBSD and crashes
on MacOSX (that I cannot reproduce).
Modified:
trunk/libavcodec/wmavoice.c
Modified: trunk/libavcodec/wmavoice.c
==============================================================================
--- trunk/libavcodec/wmavoice.c Mon Aug 9 12:31:59 2010 (r24749)
+++ trunk/libavcodec/wmavoice.c Mon Aug 9 15:54:59 2010 (r24750)
@@ -1033,7 +1033,8 @@ static void aw_parse_coords(WMAVoiceCont
static void aw_pulse_set2(WMAVoiceContext *s, GetBitContext *gb,
int block_idx, AMRFixed *fcb)
{
- uint16_t use_mask[7]; // only 5 are used, rest is padding
+ uint16_t use_mask_mem[9]; // only 5 are used, rest is padding
+ uint16_t *use_mask = use_mask_mem + 2;
/* in this function, idx is the index in the 80-bit (+ padding) use_mask
* bit-array. Since use_mask consists of 16-bit values, the lower 4 bits
* of idx are the position of the bit within a particular item in the
@@ -1065,6 +1066,7 @@ static void aw_pulse_set2(WMAVoiceContex
/* aw_pulse_set1() already applies pulses around pulse_off (to be exactly,
* in the range of [pulse_off, pulse_off + s->aw_pulse_range], and thus
* we exclude that range from being pulsed again in this function. */
+ memset(&use_mask[-2], 0, 2 * sizeof(use_mask[0]));
memset( use_mask, -1, 5 * sizeof(use_mask[0]));
memset(&use_mask[5], 0, 2 * sizeof(use_mask[0]));
if (s->aw_n_pulses[block_idx] > 0)
More information about the ffmpeg-cvslog
mailing list