mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2025-01-29 22:00:58 +02:00
906ee41141
The stereowiden filter uses a buffer, s->buffer[], and a pointer
within the buffer, s->write, to implement inter-channel delays.
The loop which applies the delayed samples turns out to be faulty.
109 for (n = 0; n < in->nb_samples; n++, src += 2, dst += 2) {
110 const float left = src[0], right = src[1];
111 float *read = s->write + 2;
112
113 if (read > s->buffer + s->length)
114 read = s->buffer;
115
116 dst[0] = drymix * left - crossfeed * right - feedback * read[1];
117 dst[1] = drymix * right - crossfeed * left - feedback * read[0];
118
119 s->write[0] = left;
120 s->write[1] = right;
121
122 if (s->write == s->buffer + s->length)
123 s->write = s->buffer;
124 else
125 s->write += 2;
126 }
For one, the buffer gets written past its end in lines 119-120, before
the bound check is done in lines 122-123. This can be easily confirmed
by valgrind.
==3544== Invalid read of size 4
==3544== at 0x593B41: filter_frame (af_stereowiden.c:116)
==3544== Address 0xb1b03c4 is 4 bytes after a block of size 7,680 alloc'd
==3544==
==3544== Invalid read of size 4
==3544== at 0x593B66: filter_frame (af_stereowiden.c:117)
==3544== Address 0xb1b03c0 is 0 bytes after a block of size 7,680 alloc'd
==3544==
==3544== Invalid write of size 4
==3544== at 0x593B79: filter_frame (af_stereowiden.c:119)
==3544== Address 0xb1b03c0 is 0 bytes after a block of size 7,680 alloc'd
==3544==
==3544== Invalid write of size 4
==3544== at 0x593B7D: filter_frame (af_stereowiden.c:120)
==3544== Address 0xb1b03c4 is 4 bytes after a block of size 7,680 alloc'd
Also, using two separate pointers, s->write and read = s->write + 2,
does not seem to be well thought out. To apply the delay of s->buffer[],
it is enough to read the delayed samples at the current position within
the buffer, and then to store new samples at the same current position.
Thus the application of delayed samples can probably be best described
with a single pointer s->cur.
I also introduce a minor change to ensure that the size of s->buffer[]
is always a multiple of 2. Since the delay parameter is a float, it is
otherwise possible to trick the code into allocating off-by-one buffer.
FFmpeg README
FFmpeg is a collection of libraries and tools to process multimedia content such as audio, video, subtitles and related metadata.
Libraries
libavcodecprovides implementation of a wider range of codecs.libavformatimplements streaming protocols, container formats and basic I/O access.libavutilincludes hashers, decompressors and miscellaneous utility functions.libavfilterprovides a mean to alter decoded Audio and Video through chain of filters.libavdeviceprovides an abstraction to access capture and playback devices.libswresampleimplements audio mixing and resampling routines.libswscaleimplements color conversion and scaling routines.
Tools
- ffmpeg is a command line toolbox to manipulate, convert and stream multimedia content.
- ffplay is a minimalistic multimedia player.
- ffprobe is a simple analysis tool to inspect multimedia content.
- ffserver is a multimedia streaming server for live broadcasts.
- Additional small tools such as
aviocat,ismindexandqt-faststart.
Documentation
The offline documentation is available in the doc/ directory.
The online documentation is available in the main website and in the wiki.
Examples
Coding examples are available in the doc/examples directory.
License
FFmpeg codebase is mainly LGPL-licensed with optional components licensed under GPL. Please refer to the LICENSE file for detailed information.
Contributing
Patches should be submitted to the ffmpeg-devel mailing list using
git format-patch or git send-email. Github pull requests should be
avoided because they are not part of our review process. Few developers
follow pull requests so they will likely be ignored.