virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-23 12:43:46 +02:00
Code Issues Releases Activity

Fix reading over the end of the allocated buffer.

Browse Source 
Patch by Anssi Hannula, anssi d hannula a iki d fi

Originally committed as revision 26291 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
Anssi Hannula 2011-01-09 23:01:01 +00:00 committed by Carl Eugen Hoyos
parent 94fcbf5f38
commit 39f4d32908
1 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
libavcodec/dca.c
View File

@ -219,6 +219,8 @@ static const int8_t dca_channel_reorder_nolfe_xch[][9] = {
#define DCA_MAX_FRAME_SIZE 16384 #define DCA_MAX_FRAME_SIZE 16384
#define DCA_MAX_EXSS_HEADER_SIZE 4096 #define DCA_MAX_EXSS_HEADER_SIZE 4096
#define DCA_BUFFER_PADDING_SIZE 1024
/** Bit allocation */ /** Bit allocation */
typedef struct { typedef struct {
int offset; ///< code values offset int offset; ///< code values offset
@ -315,7 +317,7 @@ typedef struct {
DECLARE_ALIGNED(16, float, samples)[(DCA_PRIM_CHANNELS_MAX+1)*256]; DECLARE_ALIGNED(16, float, samples)[(DCA_PRIM_CHANNELS_MAX+1)*256];
const float *samples_chanptr[DCA_PRIM_CHANNELS_MAX+1]; const float *samples_chanptr[DCA_PRIM_CHANNELS_MAX+1];
uint8_t dca_buffer[DCA_MAX_FRAME_SIZE + DCA_MAX_EXSS_HEADER_SIZE]; uint8_t dca_buffer[DCA_MAX_FRAME_SIZE + DCA_MAX_EXSS_HEADER_SIZE + DCA_BUFFER_PADDING_SIZE];
int dca_buffer_size; ///< how much data is in the dca_buffer int dca_buffer_size; ///< how much data is in the dca_buffer
const int8_t* channel_order_tab; ///< channel reordering table, lfe and non lfe const int8_t* channel_order_tab; ///< channel reordering table, lfe and non lfe
@ -605,6 +607,9 @@ static int dca_subframe_header(DCAContext * s, int base_channel, int block_index
/* Primary audio coding side information */ /* Primary audio coding side information */
int j, k; int j, k;
if (get_bits_left(&s->gb) < 0)
return -1;
if (!base_channel) { if (!base_channel) {
s->subsubframes[s->current_subframe] = get_bits(&s->gb, 2) + 1; s->subsubframes[s->current_subframe] = get_bits(&s->gb, 2) + 1;
s->partial_samples[s->current_subframe] = get_bits(&s->gb, 3); s->partial_samples[s->current_subframe] = get_bits(&s->gb, 3);
@ -661,6 +666,9 @@ static int dca_subframe_header(DCAContext * s, int base_channel, int block_index
} }
} }
if (get_bits_left(&s->gb) < 0)
return -1;
for (j = base_channel; j < s->prim_channels; j++) { for (j = base_channel; j < s->prim_channels; j++) {
const uint32_t *scale_table; const uint32_t *scale_table;
int scale_sum; int scale_sum;
@ -696,6 +704,9 @@ static int dca_subframe_header(DCAContext * s, int base_channel, int block_index
s->joint_huff[j] = get_bits(&s->gb, 3); s->joint_huff[j] = get_bits(&s->gb, 3);
} }
if (get_bits_left(&s->gb) < 0)
return -1;
/* Scale factors for joint subband coding */ /* Scale factors for joint subband coding */
for (j = base_channel; j < s->prim_channels; j++) { for (j = base_channel; j < s->prim_channels; j++) {
int source_channel; int source_channel;
@ -1053,6 +1064,9 @@ static int dca_subsubframe(DCAContext * s, int base_channel, int block_index)
quant_step_table = lossy_quant_d; quant_step_table = lossy_quant_d;
for (k = base_channel; k < s->prim_channels; k++) { for (k = base_channel; k < s->prim_channels; k++) {
if (get_bits_left(&s->gb) < 0)
return -1;
for (l = 0; l < s->vq_start_subband[k]; l++) { for (l = 0; l < s->vq_start_subband[k]; l++) {
int m; int m;