[FFmpeg-cvslog] avcodec/ac3: fix out of array access introduced previously
Paul B Mahol
git at videolan.org
Fri Mar 30 11:16:49 EEST 2018
ffmpeg | branch: master | Paul B Mahol <onemda at gmail.com> | Fri Mar 30 10:14:48 2018 +0200| [0b86ea03d8415b5a3a6b07f3012a8097bca26ea5] | committer: Paul B Mahol
avcodec/ac3: fix out of array access introduced previously
Signed-off-by: Paul B Mahol <onemda at gmail.com>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0b86ea03d8415b5a3a6b07f3012a8097bca26ea5
---
libavcodec/ac3.h | 1 +
libavcodec/ac3dec.c | 10 +++++-----
libavcodec/ac3dec.h | 6 +++---
3 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/libavcodec/ac3.h b/libavcodec/ac3.h
index 5c9c37727e..f8f6a81f45 100644
--- a/libavcodec/ac3.h
+++ b/libavcodec/ac3.h
@@ -28,6 +28,7 @@
#define AVCODEC_AC3_H
#define AC3_MAX_CODED_FRAME_SIZE 3840 /* in bytes */
+#define EAC3_MAX_CHANNELS 16 /**< maximum number of channels in EAC3 */
#define AC3_MAX_CHANNELS 7 /**< maximum number of channels, including coupling channel */
#define CPL_CH 0 /**< coupling channel index */
diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c
index ac5c6d636a..b14d2e74ac 100644
--- a/libavcodec/ac3dec.c
+++ b/libavcodec/ac3dec.c
@@ -1488,7 +1488,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
int blk, ch, err, offset, ret;
int got_independent_frame = 0;
const uint8_t *channel_map;
- uint8_t extended_channel_map[AC3_MAX_CHANNELS * 2];
+ uint8_t extended_channel_map[EAC3_MAX_CHANNELS];
const SHORTFLOAT *output[AC3_MAX_CHANNELS];
enum AVMatrixEncoding matrix_encoding;
AVDownmixInfo *downmix_info;
@@ -1685,7 +1685,7 @@ dependent_frame:
avctx->bit_rate = s->bit_rate + s->prev_bit_rate;
}
- for (ch = 0; ch < 16; ch++)
+ for (ch = 0; ch < EAC3_MAX_CHANNELS; ch++)
extended_channel_map[ch] = ch;
if (s->frame_type == EAC3_FRAME_TYPE_DEPENDENT) {
@@ -1698,7 +1698,7 @@ dependent_frame:
channel_layout = ich_layout;
for (ch = 0; ch < 16; ch++) {
- if (s->channel_map & (1 << (15 - ch))) {
+ if (s->channel_map & (1 << (EAC3_MAX_CHANNELS - ch - 1))) {
channel_layout |= custom_channel_map_locations[ch][1];
}
}
@@ -1706,8 +1706,8 @@ dependent_frame:
avctx->channel_layout = channel_layout;
avctx->channels = av_get_channel_layout_nb_channels(channel_layout);
- for (ch = 0; ch < 16; ch++) {
- if (s->channel_map & (1 << (15 - ch))) {
+ for (ch = 0; ch < EAC3_MAX_CHANNELS; ch++) {
+ if (s->channel_map & (1 << (EAC3_MAX_CHANNELS - ch - 1))) {
if (custom_channel_map_locations[ch][0]) {
int index = av_get_channel_layout_channel_index(channel_layout,
custom_channel_map_locations[ch][1]);
diff --git a/libavcodec/ac3dec.h b/libavcodec/ac3dec.h
index ae5ef4bbc9..ce1434b55c 100644
--- a/libavcodec/ac3dec.h
+++ b/libavcodec/ac3dec.h
@@ -242,12 +242,12 @@ typedef struct AC3DecodeContext {
///@name Aligned arrays
DECLARE_ALIGNED(16, int, fixed_coeffs)[AC3_MAX_CHANNELS][AC3_MAX_COEFS]; ///< fixed-point transform coefficients
DECLARE_ALIGNED(32, INTFLOAT, transform_coeffs)[AC3_MAX_CHANNELS][AC3_MAX_COEFS]; ///< transform coefficients
- DECLARE_ALIGNED(32, INTFLOAT, delay)[2 * AC3_MAX_CHANNELS][AC3_BLOCK_SIZE]; ///< delay - added to the next block
+ DECLARE_ALIGNED(32, INTFLOAT, delay)[EAC3_MAX_CHANNELS][AC3_BLOCK_SIZE]; ///< delay - added to the next block
DECLARE_ALIGNED(32, INTFLOAT, window)[AC3_BLOCK_SIZE]; ///< window coefficients
DECLARE_ALIGNED(32, INTFLOAT, tmp_output)[AC3_BLOCK_SIZE]; ///< temporary storage for output before windowing
- DECLARE_ALIGNED(32, SHORTFLOAT, output)[2 * AC3_MAX_CHANNELS][AC3_BLOCK_SIZE]; ///< output after imdct transform and windowing
+ DECLARE_ALIGNED(32, SHORTFLOAT, output)[EAC3_MAX_CHANNELS][AC3_BLOCK_SIZE]; ///< output after imdct transform and windowing
DECLARE_ALIGNED(32, uint8_t, input_buffer)[AC3_FRAME_BUFFER_SIZE + AV_INPUT_BUFFER_PADDING_SIZE]; ///< temp buffer to prevent overread
- DECLARE_ALIGNED(32, SHORTFLOAT, output_buffer)[2 * AC3_MAX_CHANNELS][AC3_BLOCK_SIZE * 6]; ///< final output buffer
+ DECLARE_ALIGNED(32, SHORTFLOAT, output_buffer)[EAC3_MAX_CHANNELS][AC3_BLOCK_SIZE * 6]; ///< final output buffer
///@}
} AC3DecodeContext;
More information about the ffmpeg-cvslog
mailing list