[FFmpeg-cvslog] avcodec/ac3: fix out of array access introduced previously

Paul B Mahol git at videolan.org
Fri Mar 30 11:16:49 EEST 2018 

ffmpeg | branch: master | Paul B Mahol <onemda at gmail.com> | Fri Mar 30 10:14:48 2018 +0200| [0b86ea03d8415b5a3a6b07f3012a8097bca26ea5] | committer: Paul B Mahol

avcodec/ac3: fix out of array access introduced previously

Signed-off-by: Paul B Mahol <onemda at gmail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0b86ea03d8415b5a3a6b07f3012a8097bca26ea5
---

 libavcodec/ac3.h    |  1 +
 libavcodec/ac3dec.c | 10 +++++-----
 libavcodec/ac3dec.h |  6 +++---
 3 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/libavcodec/ac3.h b/libavcodec/ac3.h
index 5c9c37727e..f8f6a81f45 100644
--- a/libavcodec/ac3.h
+++ b/libavcodec/ac3.h
@@ -28,6 +28,7 @@
 #define AVCODEC_AC3_H
 
 #define AC3_MAX_CODED_FRAME_SIZE 3840 /* in bytes */
+#define EAC3_MAX_CHANNELS 16          /**< maximum number of channels in EAC3 */
 #define AC3_MAX_CHANNELS 7            /**< maximum number of channels, including coupling channel */
 #define CPL_CH 0                      /**< coupling channel index */
 
diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c
index ac5c6d636a..b14d2e74ac 100644
--- a/libavcodec/ac3dec.c
+++ b/libavcodec/ac3dec.c
@@ -1488,7 +1488,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
     int blk, ch, err, offset, ret;
     int got_independent_frame = 0;
     const uint8_t *channel_map;
-    uint8_t extended_channel_map[AC3_MAX_CHANNELS * 2];
+    uint8_t extended_channel_map[EAC3_MAX_CHANNELS];
     const SHORTFLOAT *output[AC3_MAX_CHANNELS];
     enum AVMatrixEncoding matrix_encoding;
     AVDownmixInfo *downmix_info;
@@ -1685,7 +1685,7 @@ dependent_frame:
         avctx->bit_rate    = s->bit_rate + s->prev_bit_rate;
     }
 
-    for (ch = 0; ch < 16; ch++)
+    for (ch = 0; ch < EAC3_MAX_CHANNELS; ch++)
         extended_channel_map[ch] = ch;
 
     if (s->frame_type == EAC3_FRAME_TYPE_DEPENDENT) {
@@ -1698,7 +1698,7 @@ dependent_frame:
 
         channel_layout = ich_layout;
         for (ch = 0; ch < 16; ch++) {
-            if (s->channel_map & (1 << (15 - ch))) {
+            if (s->channel_map & (1 << (EAC3_MAX_CHANNELS - ch - 1))) {
                 channel_layout |= custom_channel_map_locations[ch][1];
             }
         }
@@ -1706,8 +1706,8 @@ dependent_frame:
         avctx->channel_layout = channel_layout;
         avctx->channels = av_get_channel_layout_nb_channels(channel_layout);
 
-        for (ch = 0; ch < 16; ch++) {
-            if (s->channel_map & (1 << (15 - ch))) {
+        for (ch = 0; ch < EAC3_MAX_CHANNELS; ch++) {
+            if (s->channel_map & (1 << (EAC3_MAX_CHANNELS - ch - 1))) {
                 if (custom_channel_map_locations[ch][0]) {
                     int index = av_get_channel_layout_channel_index(channel_layout,
                                                                     custom_channel_map_locations[ch][1]);
diff --git a/libavcodec/ac3dec.h b/libavcodec/ac3dec.h
index ae5ef4bbc9..ce1434b55c 100644
--- a/libavcodec/ac3dec.h
+++ b/libavcodec/ac3dec.h
@@ -242,12 +242,12 @@ typedef struct AC3DecodeContext {
 ///@name Aligned arrays
     DECLARE_ALIGNED(16, int,   fixed_coeffs)[AC3_MAX_CHANNELS][AC3_MAX_COEFS];       ///< fixed-point transform coefficients
     DECLARE_ALIGNED(32, INTFLOAT, transform_coeffs)[AC3_MAX_CHANNELS][AC3_MAX_COEFS];   ///< transform coefficients
-    DECLARE_ALIGNED(32, INTFLOAT, delay)[2 * AC3_MAX_CHANNELS][AC3_BLOCK_SIZE];         ///< delay - added to the next block
+    DECLARE_ALIGNED(32, INTFLOAT, delay)[EAC3_MAX_CHANNELS][AC3_BLOCK_SIZE];         ///< delay - added to the next block
     DECLARE_ALIGNED(32, INTFLOAT, window)[AC3_BLOCK_SIZE];                              ///< window coefficients
     DECLARE_ALIGNED(32, INTFLOAT, tmp_output)[AC3_BLOCK_SIZE];                          ///< temporary storage for output before windowing
-    DECLARE_ALIGNED(32, SHORTFLOAT, output)[2 * AC3_MAX_CHANNELS][AC3_BLOCK_SIZE];            ///< output after imdct transform and windowing
+    DECLARE_ALIGNED(32, SHORTFLOAT, output)[EAC3_MAX_CHANNELS][AC3_BLOCK_SIZE];            ///< output after imdct transform and windowing
     DECLARE_ALIGNED(32, uint8_t, input_buffer)[AC3_FRAME_BUFFER_SIZE + AV_INPUT_BUFFER_PADDING_SIZE]; ///< temp buffer to prevent overread
-    DECLARE_ALIGNED(32, SHORTFLOAT, output_buffer)[2 * AC3_MAX_CHANNELS][AC3_BLOCK_SIZE * 6];  ///< final output buffer
+    DECLARE_ALIGNED(32, SHORTFLOAT, output_buffer)[EAC3_MAX_CHANNELS][AC3_BLOCK_SIZE * 6];  ///< final output buffer
 ///@}
 } AC3DecodeContext;

More information about the ffmpeg-cvslog mailing list