The outer loop in ac3_bit_alloc_calc_bap() currently runs one iteration more than it should, possibly over-reading the ff_ac3_band_start_tab array. This patch fixes the faulty loop condition.
Signed-off-by: Mans Rullgard <[email protected]> --- libavcodec/ac3dsp.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/ac3dsp.c b/libavcodec/ac3dsp.c index 98c7357..bd4d6b9 100644 --- a/libavcodec/ac3dsp.c +++ b/libavcodec/ac3dsp.c @@ -108,7 +108,7 @@ static void ac3_bit_alloc_calc_bap_c(int16_t *mask, int16_t *psd, int snr_offset, int floor, const uint8_t *bap_tab, uint8_t *bap) { - int bin, band; + int bin, band, band_end; /* special case, if snr offset is -960, set all bap's to zero */ if (snr_offset == -960) { @@ -120,12 +120,13 @@ static void ac3_bit_alloc_calc_bap_c(int16_t *mask, int16_t *psd, band = ff_ac3_bin_to_band_tab[start]; do { int m = (FFMAX(mask[band] - snr_offset - floor, 0) & 0x1FE0) + floor; - int band_end = FFMIN(ff_ac3_band_start_tab[band+1], end); + band_end = ff_ac3_band_start_tab[++band]; + band_end = FFMIN(band_end, end); for (; bin < band_end; bin++) { int address = av_clip((psd[bin] - m) >> 5, 0, 63); bap[bin] = bap_tab[address]; } - } while (end > ff_ac3_band_start_tab[band++]); + } while (end > band_end); } static void ac3_update_bap_counts_c(uint16_t mant_cnt[16], uint8_t *bap, -- 1.7.8.4 _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
