[FFmpeg-trac] #7994(undetermined:new): undefined-behavior at libavcodec/ac3enc.c and heap buffer overflow at zmbvenc.c:97
FFmpeg
trac at avcodec.org
Thu Jul 4 10:34:31 EEST 2019
#7994: undefined-behavior at libavcodec/ac3enc.c and heap buffer overflow at
zmbvenc.c:97
-------------------------------------+-------------------------------------
Reporter: Suhwan | Type: defect
Status: new | Priority: normal
Component: | Version: git-
undetermined | master
Keywords: ubsan | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Summary of the bug:
There're an undefined-behavior at libavcodec/ac3enc.c:1068:37 and a heap
buffer overflow at zmbvenc.c:97.
How to reproduce:
{{{
% ffmpeg_g -y -r 79 -i tmp.webm -map 0 -c:v zmbv -c:v:80 asv1
-disposition:v:60 zmbv -disposition:s pcm_s8 -ab 962 -ar 48000 -ac 10 -b:v
399k tmp_.avi
ffmpeg version : N-94163-g664a27ea40
built with clang version 9.0.0
}}}
{{{
1064 static int bit_alloc(AC3EncodeContext *s, int snr_offset)
1065 {
1066 int blk, ch;
1067
1068 snr_offset = (snr_offset - 240) << 2;
1069
1070 reset_block_bap(s);
1071 for (blk = 0; blk < s->num_blocks; blk++) {
1072 AC3Block *block = &s->blocks[blk];
1073
1074 for (ch = !block->cpl_in_use; ch <= s->channels; ch++) {
1075 /* Currently the only bit allocation parameters which
vary across
1076 blocks within a frame are the exponent values. We can
take
1077 advantage of that by reusing the bit allocation
pointers
1078 whenever we reuse exponents. */
1079 if (s->exp_strategy[ch][blk] != EXP_REUSE) {
1080 s->ac3dsp.bit_alloc_calc_bap(block->mask[ch],
block->psd[ch],
1081 s->start_freq[ch],
block->end_freq[ch],
1082 snr_offset,
s->bit_alloc.floor,
1083 ff_ac3_bap_tab,
s->ref_bap[ch][blk]);
1084 }
1085 }
1086 }
1087 return count_mantissa_bits(s);
1088 }
}}}
--
Ticket URL: <https://trac.ffmpeg.org/ticket/7994>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list