[FFmpeg-cvslog] twinvq: fix out of bounds array access

Mans Rullgard git at videolan.org
Sat Aug 9 19:49:33 CEST 2014


ffmpeg | branch: release/0.10 | Mans Rullgard <mans at mansr.com> | Tue May  1 18:27:19 2012 +0100| [50493f1f7d2235db811d2991b9e5b330baf7c05a] | committer: Diego Biurrun

twinvq: fix out of bounds array access

ModeTab.fmode has only 3 elements, so indexing it with ftype
in the initialier for 'size' is invalid when ftype == FT_PPC.

This fixes crashes with gcc 4.8.

Signed-off-by: Mans Rullgard <mans at mansr.com>
(cherry picked from commit 4bf2e7c5f1c0ad3997fd7c9859c16db8e4e16df6)
Signed-off-by: Diego Biurrun <diego at biurrun.de>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=50493f1f7d2235db811d2991b9e5b330baf7c05a
---

 libavcodec/twinvq.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/libavcodec/twinvq.c b/libavcodec/twinvq.c
index 6d0a0ec..c58a9bc 100644
--- a/libavcodec/twinvq.c
+++ b/libavcodec/twinvq.c
@@ -1000,14 +1000,16 @@ static av_cold void construct_perm_table(TwinContext *tctx, int ftype)
 {
     int block_size;
     const ModeTab *mtab = tctx->mtab;
-    int size = tctx->avctx->channels*mtab->fmode[ftype].sub;
+    int size;
     int16_t *tmp_perm = (int16_t *) tctx->tmp_buf;
 
     if (ftype == FT_PPC) {
         size  = tctx->avctx->channels;
         block_size = mtab->ppc_shape_len;
-    } else
+    } else {
+        size       = tctx->avctx->channels * mtab->fmode[ftype].sub;
         block_size = mtab->size / mtab->fmode[ftype].sub;
+    }
 
     permutate_in_line(tmp_perm, tctx->n_div[ftype], size,
                       block_size, tctx->length[ftype],



More information about the ffmpeg-cvslog mailing list