[FFmpeg-devel] [PATCH 1/2] avcodec/eac3: add support for dependent stream

James Almer jamrial at gmail.com
Fri Mar 30 05:58:15 EEST 2018


On 3/28/2018 3:59 PM, Paul B Mahol wrote:
> Signed-off-by: Paul B Mahol <onemda at gmail.com>
> ---
>  libavcodec/aac_ac3_parser.c |   9 ++-
>  libavcodec/ac3_parser.c     |   2 +-
>  libavcodec/ac3dec.c         | 177 +++++++++++++++++++++++++++++++++++---------
>  libavcodec/ac3dec.h         |  10 ++-
>  libavcodec/eac3dec.c        |  11 +--
>  tests/ref/fate/ts-demux     |   2 +-
>  tests/ref/seek/lavf-rm      |   6 +-
>  7 files changed, 164 insertions(+), 53 deletions(-)
> 

> @@ -1463,14 +1483,17 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
>  {
>      AVFrame *frame     = data;
>      const uint8_t *buf = avpkt->data;
> -    int buf_size = avpkt->size;
> +    int buf_size, full_buf_size = avpkt->size;
>      AC3DecodeContext *s = avctx->priv_data;
> -    int blk, ch, err, ret;
> +    int blk, ch, err, offset, ret;
> +    int got_independent_frame = 0;
>      const uint8_t *channel_map;
> +    uint8_t extended_channel_map[AC3_MAX_CHANNELS * 2];

AC3_MAX_CHANNELS is 7

[...]

> +    for (ch = 0; ch < 16; ch++)
> +        extended_channel_map[ch] = ch;

Which means an out of array access takes place here.

This is making all ac3 and eac3 tests crash with SIGABRT on Linux GCC
when -fstack-protector is enabled (which is on by default).

http://fate.ffmpeg.org/report.cgi?time=20180329202433&slot=x86_64-archlinux-gcc-threads-auto

[...]

> @@ -239,11 +242,12 @@ typedef struct AC3DecodeContext {
>  ///@name Aligned arrays
>      DECLARE_ALIGNED(16, int,   fixed_coeffs)[AC3_MAX_CHANNELS][AC3_MAX_COEFS];       ///< fixed-point transform coefficients
>      DECLARE_ALIGNED(32, INTFLOAT, transform_coeffs)[AC3_MAX_CHANNELS][AC3_MAX_COEFS];   ///< transform coefficients
> -    DECLARE_ALIGNED(32, INTFLOAT, delay)[AC3_MAX_CHANNELS][AC3_BLOCK_SIZE];             ///< delay - added to the next block
> +    DECLARE_ALIGNED(32, INTFLOAT, delay)[2 * AC3_MAX_CHANNELS][AC3_BLOCK_SIZE];         ///< delay - added to the next block
>      DECLARE_ALIGNED(32, INTFLOAT, window)[AC3_BLOCK_SIZE];                              ///< window coefficients
>      DECLARE_ALIGNED(32, INTFLOAT, tmp_output)[AC3_BLOCK_SIZE];                          ///< temporary storage for output before windowing
> -    DECLARE_ALIGNED(32, SHORTFLOAT, output)[AC3_MAX_CHANNELS][AC3_BLOCK_SIZE];            ///< output after imdct transform and windowing
> +    DECLARE_ALIGNED(32, SHORTFLOAT, output)[2 * AC3_MAX_CHANNELS][AC3_BLOCK_SIZE];            ///< output after imdct transform and windowing
>      DECLARE_ALIGNED(32, uint8_t, input_buffer)[AC3_FRAME_BUFFER_SIZE + AV_INPUT_BUFFER_PADDING_SIZE]; ///< temp buffer to prevent overread
> +    DECLARE_ALIGNED(32, SHORTFLOAT, output_buffer)[2 * AC3_MAX_CHANNELS][AC3_BLOCK_SIZE * 6];  ///< final output buffer

Not sure if the same happens with these, but better make sure.



More information about the ffmpeg-devel mailing list