aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndreas Cadhalpun <andreas.cadhalpun@googlemail.com>2015-04-16 21:25:26 +0200
committerMichael Niedermayer <michaelni@gmx.at>2015-04-16 21:37:16 +0200
commitbc4fee7f2a51635fa3c0f61d1e5164da1efeded3 (patch)
treebabb46febc7a974f36b921c1d90b732a309af0eb
parent55a1d75bf7855d147f420eba36e452ae401f78cb (diff)
downloadffmpeg-bc4fee7f2a51635fa3c0f61d1e5164da1efeded3.tar.gz
ac3: validate end in ff_ac3_bit_alloc_calc_mask
This fixes an invalid read if end is 0: band_end = ff_ac3_bin_to_band_tab[end-1] + 1; Depending on what is before the array, this can cause stack smashing, when band_end becomes too large. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r--libavcodec/ac3.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/libavcodec/ac3.c b/libavcodec/ac3.c
index c4fc77cbdf..b54315dcb3 100644
--- a/libavcodec/ac3.c
+++ b/libavcodec/ac3.c
@@ -131,6 +131,9 @@ int ff_ac3_bit_alloc_calc_mask(AC3BitAllocParameters *s, int16_t *band_psd,
int band_start, band_end, begin, end1;
int lowcomp, fastleak, slowleak;
+ if (end <= 0)
+ return AVERROR_INVALIDDATA;
+
/* excitation function */
band_start = ff_ac3_bin_to_band_tab[start];
band_end = ff_ac3_bin_to_band_tab[end-1] + 1;