[FFmpeg-cvslog] wmavoice: fix stack overread.

Ronald S. Bultje git at videolan.org
Thu May 3 00:26:18 CEST 2012


ffmpeg | branch: release/0.10 | Ronald S. Bultje <rsbultje at gmail.com> | Wed Mar 21 15:47:11 2012 -0700| [105601c1513a14ccfe115c936006f3f9062788f2] | committer: Reinhard Tartler

wmavoice: fix stack overread.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
(cherry picked from commit 262196445cf03fda0f7e41c4b968f4f7bf060e6b)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=105601c1513a14ccfe115c936006f3f9062788f2
---

 libavcodec/wmavoice.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c
index 8854e35..86e6996 100644
--- a/libavcodec/wmavoice.c
+++ b/libavcodec/wmavoice.c
@@ -1440,8 +1440,7 @@ static int synth_frame(AVCodecContext *ctx, GetBitContext *gb, int frame_idx,
     int pitch[MAX_BLOCKS], last_block_pitch;
 
     /* Parse frame type ("frame header"), see frame_descs */
-    int bd_idx = s->vbm_tree[get_vlc2(gb, frame_type_vlc.table, 6, 3)],
-        block_nsamples = MAX_FRAMESIZE / frame_descs[bd_idx].n_blocks;
+    int bd_idx = s->vbm_tree[get_vlc2(gb, frame_type_vlc.table, 6, 3)], block_nsamples;
 
     if (bd_idx < 0) {
         av_log(ctx, AV_LOG_ERROR,
@@ -1449,6 +1448,8 @@ static int synth_frame(AVCodecContext *ctx, GetBitContext *gb, int frame_idx,
         return -1;
     }
 
+    block_nsamples = MAX_FRAMESIZE / frame_descs[bd_idx].n_blocks;
+
     /* Pitch calculation for ACB_TYPE_ASYMMETRIC ("pitch-per-frame") */
     if (frame_descs[bd_idx].acb_type == ACB_TYPE_ASYMMETRIC) {
         /* Pitch is provided per frame, which is interpreted as the pitch of



More information about the ffmpeg-cvslog mailing list