On 09.12.2015 19:08, Claudio Freire wrote:
> On Sun, Dec 6, 2015 at 6:36 PM, Andreas Cadhalpun
> <andreas.cadhal...@googlemail.com> wrote:
>> The other is a regression since 01ecb71, so I hope you know how to fix that.
Let me add example numbers to the code. That should make the problem obvious.
>> In search_for_pns in libavcodec/aaccoder.c:
>> for (w = 0; w < sce->ics.num_windows; w += sce->ics.group_len[w]) {
sce->ics.num_windows = 8
w = 6
>> [...]
>> for (g = 0; g < sce->ics.num_swb; g++) {
sce->ics.num_swb = 14
g = 7
>> [...]
>> for (w2 = 0; w2 < sce->ics.group_len[w]; w2++) {
>> [...]
>> }
Now we are after the w2-loop and thus:
w2 = sce->ics.group_len[w] = 2
>> if (g && sce->sf_idx[(w+w2)*16+g-1] == NOISE_BT) {
sce->sf_idx is of type int[128].
(w+w2)*16+g-1 = 134 > 127 ... Ouch!
Did you intend to put this check inside the w2-loop?
>> At this point w+w2 can be sce->ics.num_windows, which causes an
>> out-of-bounds read.
>
> I don't see how that can happen.
I hope above example clarifies this.
> Do you have the input that triggers this?
Yes.
Best regards,
Andreas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
