[FFmpeg-cvslog] twinvq: fix out of bounds array access

Mans Rullgard git at videolan.org
Wed May 2 21:26:52 CEST 2012


ffmpeg | branch: master | Mans Rullgard <mans at mansr.com> | Tue May  1 18:27:19 2012 +0100| [4bf2e7c5f1c0ad3997fd7c9859c16db8e4e16df6] | committer: Mans Rullgard

twinvq: fix out of bounds array access

ModeTab.fmode has only 3 elements, so indexing it with ftype
in the initialier for 'size' is invalid when ftype == FT_PPC.

This fixes crashes with gcc 4.8.

Signed-off-by: Mans Rullgard <mans at mansr.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4bf2e7c5f1c0ad3997fd7c9859c16db8e4e16df6
---

 libavcodec/twinvq.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/libavcodec/twinvq.c b/libavcodec/twinvq.c
index 1577d77..67bc160 100644
--- a/libavcodec/twinvq.c
+++ b/libavcodec/twinvq.c
@@ -1000,14 +1000,16 @@ static av_cold void construct_perm_table(TwinContext *tctx,enum FrameType ftype)
 {
     int block_size;
     const ModeTab *mtab = tctx->mtab;
-    int size = tctx->avctx->channels*mtab->fmode[ftype].sub;
+    int size;
     int16_t *tmp_perm = (int16_t *) tctx->tmp_buf;
 
     if (ftype == FT_PPC) {
         size  = tctx->avctx->channels;
         block_size = mtab->ppc_shape_len;
-    } else
+    } else {
+        size       = tctx->avctx->channels * mtab->fmode[ftype].sub;
         block_size = mtab->size / mtab->fmode[ftype].sub;
+    }
 
     permutate_in_line(tmp_perm, tctx->n_div[ftype], size,
                       block_size, tctx->length[ftype],



More information about the ffmpeg-cvslog mailing list