har0ke/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avcodec/ac3: fix out of array access introduced previously

Browse Source 
Signed-off-by: Paul B Mahol <onemda@gmail.com>
This commit is contained in:
Paul B Mahol 2018-03-30 10:14:48 +02:00
parent 91bb871376
commit 0b86ea03d8
3 changed files with 9 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
libavcodec/ac3.h
View File

@ -28,6 +28,7 @@
#define AVCODEC_AC3_H
#define AC3_MAX_CODED_FRAME_SIZE 3840 /* in bytes */
#define EAC3_MAX_CHANNELS 16 /**< maximum number of channels in EAC3 */
#define AC3_MAX_CHANNELS 7 /**< maximum number of channels, including coupling channel */
#define CPL_CH 0 /**< coupling channel index */

10
libavcodec/ac3dec.c
View File

@ -1488,7 +1488,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
int blk, ch, err, offset, ret;
int got_independent_frame = 0;
const uint8_t *channel_map;
uint8_t extended_channel_map[AC3_MAX_CHANNELS * 2];
uint8_t extended_channel_map[EAC3_MAX_CHANNELS];
const SHORTFLOAT *output[AC3_MAX_CHANNELS];
enum AVMatrixEncoding matrix_encoding;
AVDownmixInfo *downmix_info;
@ -1685,7 +1685,7 @@ dependent_frame:
avctx->bit_rate = s->bit_rate + s->prev_bit_rate;
}
for (ch = 0; ch < 16; ch++)
for (ch = 0; ch < EAC3_MAX_CHANNELS; ch++)
extended_channel_map[ch] = ch;
if (s->frame_type == EAC3_FRAME_TYPE_DEPENDENT) {
@ -1698,7 +1698,7 @@ dependent_frame:
channel_layout = ich_layout;
for (ch = 0; ch < 16; ch++) {
if (s->channel_map & (1 << (15 - ch))) {
if (s->channel_map & (1 << (EAC3_MAX_CHANNELS - ch - 1))) {
channel_layout |= custom_channel_map_locations[ch][1];
}
}
@ -1706,8 +1706,8 @@ dependent_frame:
avctx->channel_layout = channel_layout;
avctx->channels = av_get_channel_layout_nb_channels(channel_layout);
for (ch = 0; ch < 16; ch++) {
if (s->channel_map & (1 << (15 - ch))) {
for (ch = 0; ch < EAC3_MAX_CHANNELS; ch++) {
if (s->channel_map & (1 << (EAC3_MAX_CHANNELS - ch - 1))) {
if (custom_channel_map_locations[ch][0]) {
int index = av_get_channel_layout_channel_index(channel_layout,
custom_channel_map_locations[ch][1]);

6
libavcodec/ac3dec.h
View File

@ -242,12 +242,12 @@ typedef struct AC3DecodeContext {
///@name Aligned arrays
DECLARE_ALIGNED(16, int, fixed_coeffs)[AC3_MAX_CHANNELS][AC3_MAX_COEFS]; ///< fixed-point transform coefficients
DECLARE_ALIGNED(32, INTFLOAT, transform_coeffs)[AC3_MAX_CHANNELS][AC3_MAX_COEFS]; ///< transform coefficients
DECLARE_ALIGNED(32, INTFLOAT, delay)[2 * AC3_MAX_CHANNELS][AC3_BLOCK_SIZE]; ///< delay - added to the next block
DECLARE_ALIGNED(32, INTFLOAT, delay)[EAC3_MAX_CHANNELS][AC3_BLOCK_SIZE]; ///< delay - added to the next block
DECLARE_ALIGNED(32, INTFLOAT, window)[AC3_BLOCK_SIZE]; ///< window coefficients
DECLARE_ALIGNED(32, INTFLOAT, tmp_output)[AC3_BLOCK_SIZE]; ///< temporary storage for output before windowing
DECLARE_ALIGNED(32, SHORTFLOAT, output)[2 * AC3_MAX_CHANNELS][AC3_BLOCK_SIZE]; ///< output after imdct transform and windowing
DECLARE_ALIGNED(32, SHORTFLOAT, output)[EAC3_MAX_CHANNELS][AC3_BLOCK_SIZE]; ///< output after imdct transform and windowing
DECLARE_ALIGNED(32, uint8_t, input_buffer)[AC3_FRAME_BUFFER_SIZE + AV_INPUT_BUFFER_PADDING_SIZE]; ///< temp buffer to prevent overread
DECLARE_ALIGNED(32, SHORTFLOAT, output_buffer)[2 * AC3_MAX_CHANNELS][AC3_BLOCK_SIZE * 6]; ///< final output buffer
DECLARE_ALIGNED(32, SHORTFLOAT, output_buffer)[EAC3_MAX_CHANNELS][AC3_BLOCK_SIZE * 6]; ///< final output buffer
///@}
} AC3DecodeContext;