From 0b86ea03d8415b5a3a6b07f3012a8097bca26ea5 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Fri, 30 Mar 2018 10:14:48 +0200 Subject: [PATCH] avcodec/ac3: fix out of array access introduced previously Signed-off-by: Paul B Mahol --- libavcodec/ac3.h | 1 + libavcodec/ac3dec.c | 10 +++++----- libavcodec/ac3dec.h | 6 +++--- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/libavcodec/ac3.h b/libavcodec/ac3.h index 5c9c37727e..f8f6a81f45 100644 --- a/libavcodec/ac3.h +++ b/libavcodec/ac3.h @@ -28,6 +28,7 @@ #define AVCODEC_AC3_H #define AC3_MAX_CODED_FRAME_SIZE 3840 /* in bytes */ +#define EAC3_MAX_CHANNELS 16 /**< maximum number of channels in EAC3 */ #define AC3_MAX_CHANNELS 7 /**< maximum number of channels, including coupling channel */ #define CPL_CH 0 /**< coupling channel index */ diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index ac5c6d636a..b14d2e74ac 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1488,7 +1488,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, int blk, ch, err, offset, ret; int got_independent_frame = 0; const uint8_t *channel_map; - uint8_t extended_channel_map[AC3_MAX_CHANNELS * 2]; + uint8_t extended_channel_map[EAC3_MAX_CHANNELS]; const SHORTFLOAT *output[AC3_MAX_CHANNELS]; enum AVMatrixEncoding matrix_encoding; AVDownmixInfo *downmix_info; @@ -1685,7 +1685,7 @@ dependent_frame: avctx->bit_rate = s->bit_rate + s->prev_bit_rate; } - for (ch = 0; ch < 16; ch++) + for (ch = 0; ch < EAC3_MAX_CHANNELS; ch++) extended_channel_map[ch] = ch; if (s->frame_type == EAC3_FRAME_TYPE_DEPENDENT) { @@ -1698,7 +1698,7 @@ dependent_frame: channel_layout = ich_layout; for (ch = 0; ch < 16; ch++) { - if (s->channel_map & (1 << (15 - ch))) { + if (s->channel_map & (1 << (EAC3_MAX_CHANNELS - ch - 1))) { channel_layout |= custom_channel_map_locations[ch][1]; } } @@ -1706,8 +1706,8 @@ dependent_frame: avctx->channel_layout = channel_layout; avctx->channels = av_get_channel_layout_nb_channels(channel_layout); - for (ch = 0; ch < 16; ch++) { - if (s->channel_map & (1 << (15 - ch))) { + for (ch = 0; ch < EAC3_MAX_CHANNELS; ch++) { + if (s->channel_map & (1 << (EAC3_MAX_CHANNELS - ch - 1))) { if (custom_channel_map_locations[ch][0]) { int index = av_get_channel_layout_channel_index(channel_layout, custom_channel_map_locations[ch][1]); diff --git a/libavcodec/ac3dec.h b/libavcodec/ac3dec.h index ae5ef4bbc9..ce1434b55c 100644 --- a/libavcodec/ac3dec.h +++ b/libavcodec/ac3dec.h @@ -242,12 +242,12 @@ typedef struct AC3DecodeContext { ///@name Aligned arrays DECLARE_ALIGNED(16, int, fixed_coeffs)[AC3_MAX_CHANNELS][AC3_MAX_COEFS]; ///< fixed-point transform coefficients DECLARE_ALIGNED(32, INTFLOAT, transform_coeffs)[AC3_MAX_CHANNELS][AC3_MAX_COEFS]; ///< transform coefficients - DECLARE_ALIGNED(32, INTFLOAT, delay)[2 * AC3_MAX_CHANNELS][AC3_BLOCK_SIZE]; ///< delay - added to the next block + DECLARE_ALIGNED(32, INTFLOAT, delay)[EAC3_MAX_CHANNELS][AC3_BLOCK_SIZE]; ///< delay - added to the next block DECLARE_ALIGNED(32, INTFLOAT, window)[AC3_BLOCK_SIZE]; ///< window coefficients DECLARE_ALIGNED(32, INTFLOAT, tmp_output)[AC3_BLOCK_SIZE]; ///< temporary storage for output before windowing - DECLARE_ALIGNED(32, SHORTFLOAT, output)[2 * AC3_MAX_CHANNELS][AC3_BLOCK_SIZE]; ///< output after imdct transform and windowing + DECLARE_ALIGNED(32, SHORTFLOAT, output)[EAC3_MAX_CHANNELS][AC3_BLOCK_SIZE]; ///< output after imdct transform and windowing DECLARE_ALIGNED(32, uint8_t, input_buffer)[AC3_FRAME_BUFFER_SIZE + AV_INPUT_BUFFER_PADDING_SIZE]; ///< temp buffer to prevent overread - DECLARE_ALIGNED(32, SHORTFLOAT, output_buffer)[2 * AC3_MAX_CHANNELS][AC3_BLOCK_SIZE * 6]; ///< final output buffer + DECLARE_ALIGNED(32, SHORTFLOAT, output_buffer)[EAC3_MAX_CHANNELS][AC3_BLOCK_SIZE * 6]; ///< final output buffer ///@} } AC3DecodeContext;