aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2012-12-10 03:11:16 +0100
committerMichael Niedermayer <michaelni@gmx.at>2012-12-10 04:45:30 +0100
commit7aabeea9ba0e557e834c886de5ea4db8e9a5193d (patch)
treea3a4cf44caba56cdb2a694be2303f6fb67347fc8 /libavcodec
parent529d3e002642a9901ae463dea0263768dc843173 (diff)
downloadffmpeg-7aabeea9ba0e557e834c886de5ea4db8e9a5193d.tar.gz
ac3dec: fix bugs in direct buffer use.
This fixes potentially exploitable out of array writes. Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
-rw-r--r--libavcodec/ac3dec.c10
1 files changed, 7 insertions, 3 deletions
diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c
index 50e980bad7..1013901a40 100644
--- a/libavcodec/ac3dec.c
+++ b/libavcodec/ac3dec.c
@@ -1384,12 +1384,14 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
/* decode the audio blocks */
channel_map = ff_ac3_dec_channel_map[s->output_mode & ~AC3_OUTPUT_LFEON][s->lfe_on];
+ for (ch = 0; ch < AC3_MAX_CHANNELS; ch++) {
+ output[ch] = s->output[ch];
+ }
for (ch = 0; ch < s->channels; ch++) {
if (ch < s->out_channels)
s->outptr[channel_map[ch]] = (float *)s->frame.data[ch];
else
s->outptr[ch] = s->output[ch];
- output[ch] = s->output[ch];
}
for (blk = 0; blk < s->num_blocks; blk++) {
if (!err && decode_audio_block(s, blk)) {
@@ -1398,10 +1400,12 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
}
if (err)
for (ch = 0; ch < s->out_channels; ch++)
- memcpy(s->outptr[channel_map[ch]], output[ch], 1024);
+ memcpy(((float*)s->frame.data[ch]) + AC3_BLOCK_SIZE*blk, output[ch], 1024);
for (ch = 0; ch < s->out_channels; ch++) {
output[ch] = s->outptr[channel_map[ch]];
- s->outptr[channel_map[ch]] += AC3_BLOCK_SIZE;
+ }
+ for (ch = 0; ch < s->channels; ch++) {
+ s->outptr[ch] += AC3_BLOCK_SIZE;
}
}