aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRonald S. Bultje <rsbultje@gmail.com>2010-08-09 13:54:59 +0000
committerRonald S. Bultje <rsbultje@gmail.com>2010-08-09 13:54:59 +0000
commitaf0a61cc4045fcd4e875799aac93711be95ed660 (patch)
treeddf37b626c8d12d276f83dc80ec08041968fb34d
parentb5c4bb989d4085625f212b9b6378e4ee0a1a9ca8 (diff)
downloadffmpeg-af0a61cc4045fcd4e875799aac93711be95ed660.tar.gz
Fix buffer overrun if idx is negative (it can be down to -23>>4), by prepending
two padding zeroes before it. Should fix fate failures on openBSD and crashes on MacOSX (that I cannot reproduce). Originally committed as revision 24750 to svn://svn.ffmpeg.org/ffmpeg/trunk
-rw-r--r--libavcodec/wmavoice.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c
index c4582f35cc..b500c21e66 100644
--- a/libavcodec/wmavoice.c
+++ b/libavcodec/wmavoice.c
@@ -1033,7 +1033,8 @@ static void aw_parse_coords(WMAVoiceContext *s, GetBitContext *gb,
static void aw_pulse_set2(WMAVoiceContext *s, GetBitContext *gb,
int block_idx, AMRFixed *fcb)
{
- uint16_t use_mask[7]; // only 5 are used, rest is padding
+ uint16_t use_mask_mem[9]; // only 5 are used, rest is padding
+ uint16_t *use_mask = use_mask_mem + 2;
/* in this function, idx is the index in the 80-bit (+ padding) use_mask
* bit-array. Since use_mask consists of 16-bit values, the lower 4 bits
* of idx are the position of the bit within a particular item in the
@@ -1065,6 +1066,7 @@ static void aw_pulse_set2(WMAVoiceContext *s, GetBitContext *gb,
/* aw_pulse_set1() already applies pulses around pulse_off (to be exactly,
* in the range of [pulse_off, pulse_off + s->aw_pulse_range], and thus
* we exclude that range from being pulsed again in this function. */
+ memset(&use_mask[-2], 0, 2 * sizeof(use_mask[0]));
memset( use_mask, -1, 5 * sizeof(use_mask[0]));
memset(&use_mask[5], 0, 2 * sizeof(use_mask[0]));
if (s->aw_n_pulses[block_idx] > 0)