[FFmpeg-devel] [PATCH 1/1] aacenc_pred: prevent UB in ff_aac_adjust_common_pred()
Andreas Rheinhardt
andreas.rheinhardt at outlook.com
Tue Feb 27 20:39:16 EET 2024
Sean McGovern:
> ---
> libavcodec/aacenc_pred.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/libavcodec/aacenc_pred.c b/libavcodec/aacenc_pred.c
> index f87fcd5a00..d3efade85e 100644
> --- a/libavcodec/aacenc_pred.c
> +++ b/libavcodec/aacenc_pred.c
> @@ -162,9 +162,11 @@ void ff_aac_adjust_common_pred(AACEncContext *s, ChannelElement *cpe)
> sce1->ics.window_sequence[0] == EIGHT_SHORT_SEQUENCE)
> return;
>
> + const int num_swb = FFMIN(sce0->ics.num_swb, sizeof(sce0->ics.prediction_used));
> +
> for (w = 0; w < sce0->ics.num_windows; w += sce0->ics.group_len[w]) {
> start = 0;
> - for (g = 0; g < sce0->ics.num_swb; g++) {
> + for (g = 0; g < num_swb; g++) {
> int sfb = w*16+g;
> int sum = sce0->ics.prediction_used[sfb] + sce1->ics.prediction_used[sfb];
> float ener0 = 0.0f, ener1 = 0.0f, ener01 = 0.0f;
As you can see, the actual index used for accesses is w*16 + g and not
only g. So I was surprised that your fix fixed the test (as you claim).
Digging into the code, num_windows can be either 1 or eight and it is
only eight if window_sequence[0] is EIGHT_SHORT_SEQUENCE (see lines
477-488 in aacpsy.c as well as lines 877-897 in aacenc.c). In case
window_sequence[0] is EIGHT_SHORT_SEQUENCE, we do not even enter this
loop in ff_aac_adjust_common_pred(). This means that the outer loop
above is actually not a loop at all and your fix would indeed fix the
undefined behaviour.
But this also shows that this whole code is a mess. Someone who actually
knows it should take a look. Or maybe the grim reaper.
Anyway, your fix would lead to a wdeclaration-after-statement warning.
- Andreas
More information about the ffmpeg-devel
mailing list