RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

ac3dec: fix bugs in direct buffer use. 

This fixes potentially exploitable out of array writes.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2012-12-10 03:11:16 +01:00
parent 529d3e0026
commit 7aabeea9ba
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
libavcodec/ac3dec.c
View File

@ -1384,12 +1384,14 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
/* decode the audio blocks */
channel_map = ff_ac3_dec_channel_map[s->output_mode & ~AC3_OUTPUT_LFEON][s->lfe_on];
for (ch = 0; ch < AC3_MAX_CHANNELS; ch++) {
output[ch] = s->output[ch];
}
for (ch = 0; ch < s->channels; ch++) {
if (ch < s->out_channels)
s->outptr[channel_map[ch]] = (float *)s->frame.data[ch];
else
s->outptr[ch] = s->output[ch];
output[ch] = s->output[ch];
}
for (blk = 0; blk < s->num_blocks; blk++) {
if (!err && decode_audio_block(s, blk)) {
@ -1398,10 +1400,12 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
}
if (err)
for (ch = 0; ch < s->out_channels; ch++)
memcpy(s->outptr[channel_map[ch]], output[ch], 1024);
memcpy(((float*)s->frame.data[ch]) + AC3_BLOCK_SIZE*blk, output[ch], 1024);
for (ch = 0; ch < s->out_channels; ch++) {
output[ch] = s->outptr[channel_map[ch]];
s->outptr[channel_map[ch]] += AC3_BLOCK_SIZE;
}
for (ch = 0; ch < s->channels; ch++) {
s->outptr[ch] += AC3_BLOCK_SIZE;
}
}