[FFmpeg-cvslog] twinvq: fix out of bounds array access
Mans Rullgard
git at videolan.org
Sat Aug 9 19:49:33 CEST 2014
ffmpeg | branch: release/0.10 | Mans Rullgard <mans at mansr.com> | Tue May 1 18:27:19 2012 +0100| [50493f1f7d2235db811d2991b9e5b330baf7c05a] | committer: Diego Biurrun
twinvq: fix out of bounds array access
ModeTab.fmode has only 3 elements, so indexing it with ftype
in the initialier for 'size' is invalid when ftype == FT_PPC.
This fixes crashes with gcc 4.8.
Signed-off-by: Mans Rullgard <mans at mansr.com>
(cherry picked from commit 4bf2e7c5f1c0ad3997fd7c9859c16db8e4e16df6)
Signed-off-by: Diego Biurrun <diego at biurrun.de>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=50493f1f7d2235db811d2991b9e5b330baf7c05a
---
libavcodec/twinvq.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libavcodec/twinvq.c b/libavcodec/twinvq.c
index 6d0a0ec..c58a9bc 100644
--- a/libavcodec/twinvq.c
+++ b/libavcodec/twinvq.c
@@ -1000,14 +1000,16 @@ static av_cold void construct_perm_table(TwinContext *tctx, int ftype)
{
int block_size;
const ModeTab *mtab = tctx->mtab;
- int size = tctx->avctx->channels*mtab->fmode[ftype].sub;
+ int size;
int16_t *tmp_perm = (int16_t *) tctx->tmp_buf;
if (ftype == FT_PPC) {
size = tctx->avctx->channels;
block_size = mtab->ppc_shape_len;
- } else
+ } else {
+ size = tctx->avctx->channels * mtab->fmode[ftype].sub;
block_size = mtab->size / mtab->fmode[ftype].sub;
+ }
permutate_in_line(tmp_perm, tctx->n_div[ftype], size,
block_size, tctx->length[ftype],
More information about the ffmpeg-cvslog
mailing list