generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

aacsbr: prevent out of bounds memcpy().

Browse Source 
Fixes Libav Bug 195.
Fixes CVE-2012-0850

This doesn't make the code handle sample rate or upsample/downsample
change properly but this is still a good sanity check.

Based on change by Michael Niedermayer.

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 17ce52912f59a74ecc265e062578fb1181456e18)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 01804cc91ab231ac79092eee21325d7644357975)

Conflicts:

	libavcodec/aacsbr.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This commit is contained in:
Alex Converse 2012-01-10 13:07:09 -08:00 committed by Reinhard Tartler
parent 212217504a
commit 32b73701c7
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
libavcodec/aacsbr.c
View File

@ -1182,14 +1182,15 @@ static void sbr_qmf_synthesis(DSPContext *dsp, FFTContext *mdct,
int i, n; int i, n;
const float *sbr_qmf_window = div ? sbr_qmf_window_ds : sbr_qmf_window_us; const float *sbr_qmf_window = div ? sbr_qmf_window_ds : sbr_qmf_window_us;
int scale_and_bias = scale != 1.0f || bias != 0.0f; int scale_and_bias = scale != 1.0f || bias != 0.0f;
const int step = 128 >> div;
float *v; float *v;
for (i = 0; i < 32; i++) { for (i = 0; i < 32; i++) {
if (*v_off == 0) { if (*v_off < step) {
int saved_samples = (1280 - 128) >> div; int saved_samples = (1280 - 128) >> div;
memcpy(&v0[SBR_SYNTHESIS_BUF_SIZE - saved_samples], v0, saved_samples * sizeof(float)); memcpy(&v0[SBR_SYNTHESIS_BUF_SIZE - saved_samples], v0, saved_samples * sizeof(float));
*v_off = SBR_SYNTHESIS_BUF_SIZE - saved_samples - (128 >> div); *v_off = SBR_SYNTHESIS_BUF_SIZE - saved_samples - step;
} else { } else {
*v_off -= 128 >> div; *v_off -= step;
} }
v = v0 + *v_off; v = v0 + *v_off;
if (div) { if (div) {