On 14.12.2015 22:34, Luca Barbato wrote:
> On 14/12/15 20:43, Andreas Cadhalpun wrote:
>> + nlsf[i] = FFMIN(nlsf[i - 1] + min_delta[i], INT16_MAX);
>
> maybe av_clip_int16 ?
Sure, updated patch attached.
Best regards,
Andreas
>From 2894ea930251562c1551b1c5326fc4af231e015a Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
Date: Mon, 14 Dec 2015 20:31:41 +0100
Subject: [PATCH] opus_silk: fix int16_t overflow in silk_stabilize_lsf
nlsf[i - 1] + min_delta[i] can be larger than INT16_MAX, causing nlsf to
be set to a negative value. However, it is not supposed to be negative
and if it is, it causes an out of bounds read in silk_lsf2lpc.
Since min_delta is unsigned, the overflow only happens when the result
of the addition is assigned to nlsf, so that the FFMIN solves the
problem.
Even though the specification implies that the value of nlfs can be
larger than INT16_MAX at this intermediary point, it is reduced to the
int16_t range in the next loop, the result of which doesn't change if
the too large intermediary values are replaced by INT16_MAX.
Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
---
libavcodec/opus_silk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/opus_silk.c b/libavcodec/opus_silk.c
index 841d1ed..3d5c454 100644
--- a/libavcodec/opus_silk.c
+++ b/libavcodec/opus_silk.c
@@ -852,7 +852,7 @@ static inline void silk_stabilize_lsf(int16_t nlsf[16], int order, const uint16_
nlsf[0] = min_delta[0];
for (i = 1; i < order; i++)
if (nlsf[i] < nlsf[i - 1] + min_delta[i])
- nlsf[i] = nlsf[i - 1] + min_delta[i];
+ nlsf[i] = av_clip_int16(nlsf[i - 1] + min_delta[i]);
/* push backwards to increase distance */
if (nlsf[order-1] > 32768 - min_delta[order])
--
2.6.2
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
