[FFmpeg-cvslog] amrwbdec: fix invalid pointer arithmetic

Sun Oct 28 14:29:10 CET 2012

ffmpeg | branch: master | Mans Rullgard <mans at mansr.com> | Fri Oct 26 22:44:38 2012 +0100| [50be207759aa7a69a27de585f7d870ec41eba036] | committer: Mans Rullgard

amrwbdec: fix invalid pointer arithmetic

Subtracting a (positive) value from the address of an array violates
C99 section 6.5.6:

  If both the pointer operand and the result point to elements of the
  same array object, or one past the last element of the array object,
  the evaluation shall not produce an overflow; otherwise, the
  behavior is undefined.

Signed-off-by: Mans Rullgard <mans at mansr.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=50be207759aa7a69a27de585f7d870ec41eba036
---

 libavcodec/amrwbdec.c |   21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c
index 5cc96ab..c9c793f 100644
--- a/libavcodec/amrwbdec.c
+++ b/libavcodec/amrwbdec.c
@@ -902,10 +902,9 @@ static float auto_correlation(float *diff_isf, float mean, int lag)
 static void extrapolate_isf(float isf[LP_ORDER_16k])
 {
     float diff_isf[LP_ORDER - 2], diff_mean;
-    float *diff_hi = diff_isf - LP_ORDER + 1; // diff array for extrapolated indexes
     float corr_lag[3];
     float est, scale;
-    int i, i_max_corr;
+    int i, j, i_max_corr;
 
     isf[LP_ORDER_16k - 1] = isf[LP_ORDER - 1];
 
@@ -936,20 +935,20 @@ static void extrapolate_isf(float isf[LP_ORDER_16k])
     scale = 0.5 * (FFMIN(est, 7600) - isf[LP_ORDER - 2]) /
             (isf[LP_ORDER_16k - 2] - isf[LP_ORDER - 2]);
 
-    for (i = LP_ORDER - 1; i < LP_ORDER_16k - 1; i++)
-        diff_hi[i] = scale * (isf[i] - isf[i - 1]);
+    for (i = LP_ORDER - 1, j = 0; i < LP_ORDER_16k - 1; i++, j++)
+        diff_isf[j] = scale * (isf[i] - isf[i - 1]);
 
     /* Stability insurance */
-    for (i = LP_ORDER; i < LP_ORDER_16k - 1; i++)
-        if (diff_hi[i] + diff_hi[i - 1] < 5.0) {
-            if (diff_hi[i] > diff_hi[i - 1]) {
-                diff_hi[i - 1] = 5.0 - diff_hi[i];
+    for (i = 1; i < LP_ORDER_16k - LP_ORDER; i++)
+        if (diff_isf[i] + diff_isf[i - 1] < 5.0) {
+            if (diff_isf[i] > diff_isf[i - 1]) {
+                diff_isf[i - 1] = 5.0 - diff_isf[i];
             } else
-                diff_hi[i] = 5.0 - diff_hi[i - 1];
+                diff_isf[i] = 5.0 - diff_isf[i - 1];
         }
 
-    for (i = LP_ORDER - 1; i < LP_ORDER_16k - 1; i++)
-        isf[i] = isf[i - 1] + diff_hi[i] * (1.0f / (1 << 15));
+    for (i = LP_ORDER - 1, j = 0; i < LP_ORDER_16k - 1; i++, j++)
+        isf[i] = isf[i - 1] + diff_isf[j] * (1.0f / (1 << 15));
 
     /* Scale the ISF vector for 16000 Hz */
     for (i = 0; i < LP_ORDER_16k - 1; i++)

