Module: libav Branch: release/0.7 Commit: d87997b56f2725dc33ba262d895060a29ba5000d
Author: Alex Converse <alex.conve...@gmail.com> Committer: Reinhard Tartler <siret...@tauware.de> Date: Tue Jan 10 13:07:09 2012 -0800 aacsbr: prevent out of bounds memcpy(). Fixes Libav Bug 195. Fixes CVE-2012-0850 This doesn't make the code handle sample rate or upsample/downsample change properly but this is still a good sanity check. Based on change by Michael Niedermayer. Signed-off-by: Alex Converse <alex.conve...@gmail.com> (cherry picked from commit 17ce52912f59a74ecc265e062578fb1181456e18) Signed-off-by: Reinhard Tartler <siret...@tauware.de> --- libavcodec/aacsbr.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c index 81b0b4c..0bfcabb 100644 --- a/libavcodec/aacsbr.c +++ b/libavcodec/aacsbr.c @@ -1181,14 +1181,15 @@ static void sbr_qmf_synthesis(DSPContext *dsp, FFTContext *mdct, { int i, n; const float *sbr_qmf_window = div ? sbr_qmf_window_ds : sbr_qmf_window_us; + const int step = 128 >> div; float *v; for (i = 0; i < 32; i++) { - if (*v_off == 0) { + if (*v_off < step) { int saved_samples = (1280 - 128) >> div; memcpy(&v0[SBR_SYNTHESIS_BUF_SIZE - saved_samples], v0, saved_samples * sizeof(float)); - *v_off = SBR_SYNTHESIS_BUF_SIZE - saved_samples - (128 >> div); + *v_off = SBR_SYNTHESIS_BUF_SIZE - saved_samples - step; } else { - *v_off -= 128 >> div; + *v_off -= step; } v = v0 + *v_off; if (div) { _______________________________________________ libav-commits mailing list libav-commits@libav.org https://lists.libav.org/mailman/listinfo/libav-commits