aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec/ac3dec.c
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2017-05-13 19:28:01 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2017-05-13 20:36:33 +0200
commit9351a156de724edb69ba6e1f05884fe806a13a21 (patch)
treea35b183a331085ed67f733383f63a579426b7235 /libavcodec/ac3dec.c
parenta3508cc3fe643a8adad6a82a60bece3ea3c5dc63 (diff)
downloadffmpeg-9351a156de724edb69ba6e1f05884fe806a13a21.tar.gz
avcodec/ac3dec: Keep track of band structure
It is needed in some corner cases that seem not to be forbidden Fixes: out of array index Fixes: 1538/clusterfuzz-testcase-minimized-4696904925446144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavcodec/ac3dec.c')
-rw-r--r--libavcodec/ac3dec.c27
1 files changed, 15 insertions, 12 deletions
diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c
index 7e2cbce90b..ffea9d335c 100644
--- a/libavcodec/ac3dec.c
+++ b/libavcodec/ac3dec.c
@@ -761,30 +761,31 @@ static void ac3_upmix_delay(AC3DecodeContext *s)
* @param[in] default_band_struct default band structure table
* @param[out] num_bands number of bands (optionally NULL)
* @param[out] band_sizes array containing the number of bins in each band (optionally NULL)
+ * @param[in,out] band_struct current band structure
*/
static void decode_band_structure(GetBitContext *gbc, int blk, int eac3,
int ecpl, int start_subband, int end_subband,
const uint8_t *default_band_struct,
- int *num_bands, uint8_t *band_sizes)
+ int *num_bands, uint8_t *band_sizes,
+ uint8_t *band_struct, int band_struct_size)
{
int subbnd, bnd, n_subbands, n_bands=0;
uint8_t bnd_sz[22];
- uint8_t coded_band_struct[22];
- const uint8_t *band_struct;
n_subbands = end_subband - start_subband;
+ if (!blk)
+ memcpy(band_struct, default_band_struct, band_struct_size);
+
+ av_assert0(band_struct_size >= start_subband + n_subbands);
+
+ band_struct += start_subband + 1;
+
/* decode band structure from bitstream or use default */
if (!eac3 || get_bits1(gbc)) {
for (subbnd = 0; subbnd < n_subbands - 1; subbnd++) {
- coded_band_struct[subbnd] = get_bits1(gbc);
+ band_struct[subbnd] = get_bits1(gbc);
}
- band_struct = coded_band_struct;
- } else if (!blk) {
- band_struct = &default_band_struct[start_subband+1];
- } else {
- /* no change in band structure */
- return;
}
/* calculate number of bands and band sizes based on band structure.
@@ -863,7 +864,8 @@ static inline int spx_strategy(AC3DecodeContext *s, int blk)
start_subband, end_subband,
ff_eac3_default_spx_band_struct,
&s->num_spx_bands,
- s->spx_band_sizes);
+ s->spx_band_sizes,
+ s->spx_band_struct, sizeof(s->spx_band_struct));
return 0;
}
@@ -1000,7 +1002,8 @@ static inline int coupling_strategy(AC3DecodeContext *s, int blk,
decode_band_structure(bc, blk, s->eac3, 0, cpl_start_subband,
cpl_end_subband,
ff_eac3_default_cpl_band_struct,
- &s->num_cpl_bands, s->cpl_band_sizes);
+ &s->num_cpl_bands, s->cpl_band_sizes,
+ s->cpl_band_struct, sizeof(s->cpl_band_struct));
} else {
/* coupling not in use */
for (ch = 1; ch <= fbw_channels; ch++) {