Browse code
ac3: detect dba errors and prevent writing past end of array
Originally committed as revision 16034 to svn://svn.ffmpeg.org/ffmpeg/trunk
Justin Ruggles authored on 2008/12/08 12:13:20Showing 3 changed files
| ... | ... |
@@ -80,7 +80,7 @@ void ff_ac3_bit_alloc_calc_psd(int8_t *exp, int start, int end, int16_t *psd, |
| 80 | 80 |
} while (end > band_start_tab[k]); |
| 81 | 81 |
} |
| 82 | 82 |
|
| 83 |
-void ff_ac3_bit_alloc_calc_mask(AC3BitAllocParameters *s, int16_t *band_psd, |
|
| 83 |
+int ff_ac3_bit_alloc_calc_mask(AC3BitAllocParameters *s, int16_t *band_psd, |
|
| 84 | 84 |
int start, int end, int fast_gain, int is_lfe, |
| 85 | 85 |
int dba_mode, int dba_nsegs, uint8_t *dba_offsets, |
| 86 | 86 |
uint8_t *dba_lengths, uint8_t *dba_values, |
| ... | ... |
@@ -156,9 +156,13 @@ void ff_ac3_bit_alloc_calc_mask(AC3BitAllocParameters *s, int16_t *band_psd, |
| 156 | 156 |
|
| 157 | 157 |
if (dba_mode == DBA_REUSE || dba_mode == DBA_NEW) {
|
| 158 | 158 |
int band, seg, delta; |
| 159 |
+ if (dba_nsegs >= 8) |
|
| 160 |
+ return -1; |
|
| 159 | 161 |
band = 0; |
| 160 |
- for (seg = 0; seg < FFMIN(8, dba_nsegs); seg++) {
|
|
| 161 |
- band = FFMIN(49, band + dba_offsets[seg]); |
|
| 162 |
+ for (seg = 0; seg < dba_nsegs; seg++) {
|
|
| 163 |
+ band += dba_offsets[seg]; |
|
| 164 |
+ if (band >= 50 || dba_lengths[seg] > 50-band) |
|
| 165 |
+ return -1; |
|
| 162 | 166 |
if (dba_values[seg] >= 4) {
|
| 163 | 167 |
delta = (dba_values[seg] - 3) << 7; |
| 164 | 168 |
} else {
|
| ... | ... |
@@ -170,6 +174,7 @@ void ff_ac3_bit_alloc_calc_mask(AC3BitAllocParameters *s, int16_t *band_psd, |
| 170 | 170 |
} |
| 171 | 171 |
} |
| 172 | 172 |
} |
| 173 |
+ return 0; |
|
| 173 | 174 |
} |
| 174 | 175 |
|
| 175 | 176 |
void ff_ac3_bit_alloc_calc_bap(int16_t *mask, int16_t *psd, int start, int end, |
| ... | ... |
@@ -149,8 +149,9 @@ void ff_ac3_bit_alloc_calc_psd(int8_t *exp, int start, int end, int16_t *psd, |
| 149 | 149 |
* @param[in] dba_lengths length of each segment |
| 150 | 150 |
* @param[in] dba_values delta bit allocation for each segment |
| 151 | 151 |
* @param[out] mask calculated masking curve |
| 152 |
+ * @return returns 0 for success, non-zero for error |
|
| 152 | 153 |
*/ |
| 153 |
-void ff_ac3_bit_alloc_calc_mask(AC3BitAllocParameters *s, int16_t *band_psd, |
|
| 154 |
+int ff_ac3_bit_alloc_calc_mask(AC3BitAllocParameters *s, int16_t *band_psd, |
|
| 154 | 155 |
int start, int end, int fast_gain, int is_lfe, |
| 155 | 156 |
int dba_mode, int dba_nsegs, uint8_t *dba_offsets, |
| 156 | 157 |
uint8_t *dba_lengths, uint8_t *dba_values, |
| ... | ... |
@@ -1133,12 +1133,15 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) |
| 1133 | 1133 |
if(bit_alloc_stages[ch] > 1) {
|
| 1134 | 1134 |
/* Compute excitation function, Compute masking curve, and |
| 1135 | 1135 |
Apply delta bit allocation */ |
| 1136 |
- ff_ac3_bit_alloc_calc_mask(&s->bit_alloc_params, s->band_psd[ch], |
|
| 1136 |
+ if (ff_ac3_bit_alloc_calc_mask(&s->bit_alloc_params, s->band_psd[ch], |
|
| 1137 | 1137 |
s->start_freq[ch], s->end_freq[ch], |
| 1138 | 1138 |
s->fast_gain[ch], (ch == s->lfe_ch), |
| 1139 | 1139 |
s->dba_mode[ch], s->dba_nsegs[ch], |
| 1140 | 1140 |
s->dba_offsets[ch], s->dba_lengths[ch], |
| 1141 |
- s->dba_values[ch], s->mask[ch]); |
|
| 1141 |
+ s->dba_values[ch], s->mask[ch])) {
|
|
| 1142 |
+ av_log(s->avctx, AV_LOG_ERROR, "error in bit allocation\n"); |
|
| 1143 |
+ return -1; |
|
| 1144 |
+ } |
|
| 1142 | 1145 |
} |
| 1143 | 1146 |
if(bit_alloc_stages[ch] > 0) {
|
| 1144 | 1147 |
/* Compute bit allocation */ |