[FFmpeg-cvslog] AAC encoder: fix OOB access in search_for_pns

Claudio Freire git at videolan.org
Sat Sep 26 09:51:54 CEST 2015 

ffmpeg | branch: master | Claudio Freire <klaussfreire at gmail.com> | Sat Sep 26 04:49:16 2015 -0300| [0f98fd30e2d3c7254a1c56ce42a9a8bf0f6dc0eb] | committer: Claudio Freire

AAC encoder: fix OOB access in search_for_pns

Fix out of bounds access caused by wrongful usage
of swb_offset constants when computing scalefactor
positions.

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0f98fd30e2d3c7254a1c56ce42a9a8bf0f6dc0eb
---

 libavcodec/aaccoder.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/aaccoder.c b/libavcodec/aaccoder.c
index 4749d8c..10ea14b 100644
--- a/libavcodec/aaccoder.c
+++ b/libavcodec/aaccoder.c
@@ -597,13 +597,13 @@ static void search_for_pns(AACEncContext *s, AVCodecContext *avctx, SingleChanne
 
     memcpy(sce->band_alt, sce->band_type, sizeof(sce->band_type));
     for (w = 0; w < sce->ics.num_windows; w += sce->ics.group_len[w]) {
-        int wstart = sce->ics.swb_offset[w*16];
+        int wstart = w*128;
         for (g = 0;  g < sce->ics.num_swb; g++) {
             int noise_sfi;
             float dist1 = 0.0f, dist2 = 0.0f, noise_amp;
             float pns_energy = 0.0f, pns_tgt_energy, energy_ratio, dist_thresh;
             float sfb_energy = 0.0f, threshold = 0.0f, spread = 0.0f;
-            const int start = sce->ics.swb_offset[w*16+g];
+            const int start = wstart+sce->ics.swb_offset[g];
             const float freq = (start-wstart)*freq_mult;
             const float freq_boost = FFMAX(0.88f*freq/NOISE_LOW_LIMIT, 1.0f);
             if (freq < NOISE_LOW_LIMIT || avctx->cutoff && freq >= avctx->cutoff)
@@ -632,7 +632,7 @@ static void search_for_pns(AACEncContext *s, AVCodecContext *avctx, SingleChanne
             noise_amp = -ff_aac_pow2sf_tab[noise_sfi + POW_SF2_ZERO];    /* Dequantize */
             for (w2 = 0; w2 < sce->ics.group_len[w]; w2++) {
                 float band_energy, scale, pns_senergy;
-                const int start_c = sce->ics.swb_offset[(w+w2)*16+g];
+                const int start_c = (w+w2)*128+sce->ics.swb_offset[g];
                 band = &s->psy.ch[s->cur_channel].psy_bands[(w+w2)*16+g];
                 for (i = 0; i < sce->ics.swb_sizes[g]; i++)
                     PNS[i] = s->random_state = lcg_random(s->random_state);

More information about the ffmpeg-cvslog mailing list