Re: [FFmpeg-devel] [PATCH] aaccoder: prevent crash of anmr coder

Claudio Freire Wed, 09 Dec 2015 10:09:19 -0800

On Sun, Dec 6, 2015 at 6:36 PM, Andreas Cadhalpun
<andreas.cadhal...@googlemail.com> wrote:
> The other is a regression since 01ecb71, so I hope you know how to fix that.
> In search_for_pns in libavcodec/aaccoder.c:
>     for (w = 0; w < sce->ics.num_windows; w += sce->ics.group_len[w]) {
> [...]
>         for (g = 0;  g < sce->ics.num_swb; g++) {
> [...]
>             for (w2 = 0; w2 < sce->ics.group_len[w]; w2++) {
> [...]
>             }
>             if (g && sce->sf_idx[(w+w2)*16+g-1] == NOISE_BT) {
>
> At this point w+w2 can be sce->ics.num_windows, which causes an
> out-of-bounds read.


I don't see how that can happen.

Do you have the input that triggers this?
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

Re: [FFmpeg-devel] [PATCH] aaccoder: prevent crash of anmr coder

Reply via email to