From 0f98fd30e2d3c7254a1c56ce42a9a8bf0f6dc0eb Mon Sep 17 00:00:00 2001 From: Claudio Freire Date: Sat, 26 Sep 2015 04:49:16 -0300 Subject: [PATCH] AAC encoder: fix OOB access in search_for_pns Fix out of bounds access caused by wrongful usage of swb_offset constants when computing scalefactor positions. --- libavcodec/aaccoder.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/aaccoder.c b/libavcodec/aaccoder.c index 4749d8c61c..10ea14b141 100644 --- a/libavcodec/aaccoder.c +++ b/libavcodec/aaccoder.c @@ -597,13 +597,13 @@ static void search_for_pns(AACEncContext *s, AVCodecContext *avctx, SingleChanne memcpy(sce->band_alt, sce->band_type, sizeof(sce->band_type)); for (w = 0; w < sce->ics.num_windows; w += sce->ics.group_len[w]) { - int wstart = sce->ics.swb_offset[w*16]; + int wstart = w*128; for (g = 0; g < sce->ics.num_swb; g++) { int noise_sfi; float dist1 = 0.0f, dist2 = 0.0f, noise_amp; float pns_energy = 0.0f, pns_tgt_energy, energy_ratio, dist_thresh; float sfb_energy = 0.0f, threshold = 0.0f, spread = 0.0f; - const int start = sce->ics.swb_offset[w*16+g]; + const int start = wstart+sce->ics.swb_offset[g]; const float freq = (start-wstart)*freq_mult; const float freq_boost = FFMAX(0.88f*freq/NOISE_LOW_LIMIT, 1.0f); if (freq < NOISE_LOW_LIMIT || avctx->cutoff && freq >= avctx->cutoff) @@ -632,7 +632,7 @@ static void search_for_pns(AACEncContext *s, AVCodecContext *avctx, SingleChanne noise_amp = -ff_aac_pow2sf_tab[noise_sfi + POW_SF2_ZERO]; /* Dequantize */ for (w2 = 0; w2 < sce->ics.group_len[w]; w2++) { float band_energy, scale, pns_senergy; - const int start_c = sce->ics.swb_offset[(w+w2)*16+g]; + const int start_c = (w+w2)*128+sce->ics.swb_offset[g]; band = &s->psy.ch[s->cur_channel].psy_bands[(w+w2)*16+g]; for (i = 0; i < sce->ics.swb_sizes[g]; i++) PNS[i] = s->random_state = lcg_random(s->random_state);