From 58bb9d3a3a6ede1c6cfb82bf671a5f138e6b2144 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sat, 19 Oct 2019 19:34:47 +0200 Subject: [PATCH] avfilter/af_tremolo: fix heap-buffer overflow Fixes #8317 --- libavfilter/af_tremolo.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavfilter/af_tremolo.c b/libavfilter/af_tremolo.c index 8cbc79892d..f55e8e2b09 100644 --- a/libavfilter/af_tremolo.c +++ b/libavfilter/af_tremolo.c @@ -28,6 +28,7 @@ typedef struct TremoloContext { double freq; double depth; double *table; + int table_size; int index; } TremoloContext; @@ -72,7 +73,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) dst += channels; src += channels; s->index++; - if (s->index >= inlink->sample_rate / s->freq) + if (s->index >= s->table_size) s->index = 0; } @@ -125,11 +126,12 @@ static int config_input(AVFilterLink *inlink) const double offset = 1. - s->depth / 2.; int i; - s->table = av_malloc_array(inlink->sample_rate / s->freq, sizeof(*s->table)); + s->table_size = inlink->sample_rate / s->freq; + s->table = av_malloc_array(s->table_size, sizeof(*s->table)); if (!s->table) return AVERROR(ENOMEM); - for (i = 0; i < inlink->sample_rate / s->freq; i++) { + for (i = 0; i < s->table_size; i++) { double env = s->freq * i / inlink->sample_rate; env = sin(2 * M_PI * fmod(env + 0.25, 1.0)); s->table[i] = env * (1 - fabs(offset)) + offset;