[FFmpeg-cvslog] ac3dec: fix bugs in direct buffer use.
Michael Niedermayer
git at videolan.org
Mon Dec 10 04:51:03 CET 2012
ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Mon Dec 10 03:11:16 2012 +0100| [7aabeea9ba0e557e834c886de5ea4db8e9a5193d] | committer: Michael Niedermayer
ac3dec: fix bugs in direct buffer use.
This fixes potentially exploitable out of array writes.
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7aabeea9ba0e557e834c886de5ea4db8e9a5193d
---
libavcodec/ac3dec.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c
index 50e980b..1013901 100644
--- a/libavcodec/ac3dec.c
+++ b/libavcodec/ac3dec.c
@@ -1384,12 +1384,14 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
/* decode the audio blocks */
channel_map = ff_ac3_dec_channel_map[s->output_mode & ~AC3_OUTPUT_LFEON][s->lfe_on];
+ for (ch = 0; ch < AC3_MAX_CHANNELS; ch++) {
+ output[ch] = s->output[ch];
+ }
for (ch = 0; ch < s->channels; ch++) {
if (ch < s->out_channels)
s->outptr[channel_map[ch]] = (float *)s->frame.data[ch];
else
s->outptr[ch] = s->output[ch];
- output[ch] = s->output[ch];
}
for (blk = 0; blk < s->num_blocks; blk++) {
if (!err && decode_audio_block(s, blk)) {
@@ -1398,10 +1400,12 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
}
if (err)
for (ch = 0; ch < s->out_channels; ch++)
- memcpy(s->outptr[channel_map[ch]], output[ch], 1024);
+ memcpy(((float*)s->frame.data[ch]) + AC3_BLOCK_SIZE*blk, output[ch], 1024);
for (ch = 0; ch < s->out_channels; ch++) {
output[ch] = s->outptr[channel_map[ch]];
- s->outptr[channel_map[ch]] += AC3_BLOCK_SIZE;
+ }
+ for (ch = 0; ch < s->channels; ch++) {
+ s->outptr[ch] += AC3_BLOCK_SIZE;
}
}
More information about the ffmpeg-cvslog
mailing list