[FFmpeg-cvslog] aacsbr: prevent out of bounds memcpy().

Mon Jun 4 12:51:30 CEST 2012

ffmpeg | branch: release/0.6 | Alex Converse <alex.converse at gmail.com> | Tue Jan 10 13:07:09 2012 -0800| [32b73701c72153980cbd09743bf3011a08e6af90] | committer: Reinhard Tartler

aacsbr: prevent out of bounds memcpy().

Fixes Libav Bug 195.
Fixes CVE-2012-0850

This doesn't make the code handle sample rate or upsample/downsample
change properly but this is still a good sanity check.

Based on change by Michael Niedermayer.

Signed-off-by: Alex Converse <alex.converse at gmail.com>
(cherry picked from commit 17ce52912f59a74ecc265e062578fb1181456e18)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>
(cherry picked from commit 01804cc91ab231ac79092eee21325d7644357975)

Conflicts:

	libavcodec/aacsbr.c

Signed-off-by: Reinhard Tartler <siretart at tauware.de>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=32b73701c72153980cbd09743bf3011a08e6af90
---

 libavcodec/aacsbr.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c
index cac34bb..a8ce7ce 100644
--- a/libavcodec/aacsbr.c
+++ b/libavcodec/aacsbr.c
@@ -1182,14 +1182,15 @@ static void sbr_qmf_synthesis(DSPContext *dsp, FFTContext *mdct,
     int i, n;
     const float *sbr_qmf_window = div ? sbr_qmf_window_ds : sbr_qmf_window_us;
     int scale_and_bias = scale != 1.0f || bias != 0.0f;
+    const int step = 128 >> div;
     float *v;
     for (i = 0; i < 32; i++) {
-        if (*v_off == 0) {
+        if (*v_off < step) {
             int saved_samples = (1280 - 128) >> div;
             memcpy(&v0[SBR_SYNTHESIS_BUF_SIZE - saved_samples], v0, saved_samples * sizeof(float));
-            *v_off = SBR_SYNTHESIS_BUF_SIZE - saved_samples - (128 >> div);
+            *v_off = SBR_SYNTHESIS_BUF_SIZE - saved_samples - step;
         } else {
-            *v_off -= 128 >> div;
+            *v_off -= step;
         }
         v = v0 + *v_off;
         if (div) {

