[FFmpeg-devel] [PATCH] aacenc: Fix out of array accesses
Michael Niedermayer
michael at niedermayer.cc
Tue Jan 21 19:13:34 EET 2025
Fixes: ticket/11418
This needs to be reviewed by someone knowing aac
Found-by: 丁zhengzheng <xiaozheng.ding399 at gmail.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
libavcodec/aacenc_pred.c | 11 +++++++----
libavcodec/aacenc_tns.c | 9 ++++++---
2 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/libavcodec/aacenc_pred.c b/libavcodec/aacenc_pred.c
index a486c44d427..370987a210a 100644
--- a/libavcodec/aacenc_pred.c
+++ b/libavcodec/aacenc_pred.c
@@ -166,12 +166,15 @@ void ff_aac_adjust_common_pred(AACEncContext *s, ChannelElement *cpe)
start = 0;
for (g = 0; g < sce0->ics.num_swb; g++) {
int sfb = w*16+g;
- int sum = sce0->ics.prediction_used[sfb] + sce1->ics.prediction_used[sfb];
+
+ int sum = sfb < pmax ? sce0->ics.prediction_used[sfb] + sce1->ics.prediction_used[sfb] : 0;
float ener0 = 0.0f, ener1 = 0.0f, ener01 = 0.0f;
struct AACISError ph_err1, ph_err2, *erf;
- if (sfb < PRED_SFB_START || sfb > pmax || sum != 2) {
- RESTORE_PRED(sce0, sfb);
- RESTORE_PRED(sce1, sfb);
+ if (sfb < PRED_SFB_START || sum != 2) {
+ if (sfb < pmax) {
+ RESTORE_PRED(sce0, sfb);
+ RESTORE_PRED(sce1, sfb);
+ }
start += sce0->ics.swb_sizes[g];
continue;
}
diff --git a/libavcodec/aacenc_tns.c b/libavcodec/aacenc_tns.c
index fa3cd2af395..cc9cf25fb78 100644
--- a/libavcodec/aacenc_tns.c
+++ b/libavcodec/aacenc_tns.c
@@ -180,13 +180,16 @@ void ff_aac_search_for_tns(AACEncContext *s, SingleChannelElement *sce)
}
for (w = 0; w < sce->ics.num_windows; w++) {
- float en[2] = {0.0f, 0.0f};
+ float en[3] = {0.0f, 0.0f, 0.0f};
int oc_start = 0;
int coef_start = sce->ics.swb_offset[sfb_start];
+ int n_filt = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) {
FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g];
- if (g > sfb_start + (sfb_len/2))
+ if (g > sfb_start + (2*sfb_len/n_filt))
+ en[2] += band->energy;
+ else if (g > sfb_start + (sfb_len/n_filt))
en[1] += band->energy;
else
en[0] += band->energy;
@@ -199,7 +202,7 @@ void ff_aac_search_for_tns(AACEncContext *s, SingleChannelElement *sce)
if (!order || !isfinite(gain) || gain < TNS_GAIN_THRESHOLD_LOW || gain > TNS_GAIN_THRESHOLD_HIGH)
continue;
- tns->n_filt[w] = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
+ tns->n_filt[w] = n_filt;
for (g = 0; g < tns->n_filt[w]; g++) {
tns->direction[w][g] = slant != 2 ? slant : en[g] < en[!g];
tns->order[w][g] = order/tns->n_filt[w];
--
2.48.1
More information about the ffmpeg-devel
mailing list