Skip to content

F
ffmpeg.wasm-core
Commit 02591641 authored by Måns Rullgård's avatar Måns Rullgård
Browse files
Options

shorten: remove VLA and check for buffer overflow 

Originally committed as revision 23798 to svn://svn.ffmpeg.org/ffmpeg/trunk
parent 17253f59
Hide whitespace changes
Inline Side-by-side
Showing with 17 additions and 1 deletion
libavcodec/shorten.c
View file @ 02591641
...@@ -83,6 +83,7 @@ typedef struct ShortenContext { ...@@ -83,6 +83,7 @@ typedef struct ShortenContext {
int32_t *decoded[MAX_CHANNELS]; int32_t *decoded[MAX_CHANNELS];
int32_t *offset[MAX_CHANNELS]; int32_t *offset[MAX_CHANNELS];
int *coeffs;
uint8_t *bitstream; uint8_t *bitstream;
int bitstream_size; int bitstream_size;
int bitstream_index; int bitstream_index;
...@@ -112,6 +113,8 @@ static av_cold int shorten_decode_init(AVCodecContext * avctx) ...@@ -112,6 +113,8 @@ static av_cold int shorten_decode_init(AVCodecContext * avctx)
static int allocate_buffers(ShortenContext *s) static int allocate_buffers(ShortenContext *s)
{ {
int i, chan; int i, chan;
int *coeffs;
for (chan=0; chan<s->channels; chan++) { for (chan=0; chan<s->channels; chan++) {
if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){ if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){
av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n"); av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n");
...@@ -129,6 +132,12 @@ static int allocate_buffers(ShortenContext *s) ...@@ -129,6 +132,12 @@ static int allocate_buffers(ShortenContext *s)
s->decoded[chan][i] = 0; s->decoded[chan][i] = 0;
s->decoded[chan] += s->nwrap; s->decoded[chan] += s->nwrap;
} }
coeffs = av_realloc(s->coeffs, s->nwrap * sizeof(*s->coeffs));
if (!coeffs)
return AVERROR(ENOMEM);
s->coeffs = coeffs;
return 0; return 0;
} }
...@@ -253,7 +262,7 @@ static int16_t * interleave_buffer(int16_t *samples, int nchan, int blocksize, i ...@@ -253,7 +262,7 @@ static int16_t * interleave_buffer(int16_t *samples, int nchan, int blocksize, i
static void decode_subframe_lpc(ShortenContext *s, int channel, int residual_size, int pred_order) static void decode_subframe_lpc(ShortenContext *s, int channel, int residual_size, int pred_order)
{ {
int sum, i, j; int sum, i, j;
int coeffs[pred_order]; int *coeffs = s->coeffs;
for (i=0; i<pred_order; i++) for (i=0; i<pred_order; i++)
coeffs[i] = get_sr_golomb_shorten(&s->gb, LPCQUANT); coeffs[i] = get_sr_golomb_shorten(&s->gb, LPCQUANT);
...@@ -427,6 +436,12 @@ static int shorten_decode_frame(AVCodecContext *avctx, ...@@ -427,6 +436,12 @@ static int shorten_decode_frame(AVCodecContext *avctx,
case FN_QLPC: case FN_QLPC:
{ {
int pred_order = get_ur_golomb_shorten(&s->gb, LPCQSIZE); int pred_order = get_ur_golomb_shorten(&s->gb, LPCQSIZE);
if (pred_order > s->nwrap) {
av_log(avctx, AV_LOG_ERROR,
"invalid pred_order %d\n",
pred_order);
return -1;
}
for (i=0; i<pred_order; i++) for (i=0; i<pred_order; i++)
s->decoded[channel][i - pred_order] -= coffset; s->decoded[channel][i - pred_order] -= coffset;
decode_subframe_lpc(s, channel, residual_size, pred_order); decode_subframe_lpc(s, channel, residual_size, pred_order);
...@@ -515,6 +530,7 @@ static av_cold int shorten_decode_close(AVCodecContext *avctx) ...@@ -515,6 +530,7 @@ static av_cold int shorten_decode_close(AVCodecContext *avctx)
av_freep(&s->offset[i]); av_freep(&s->offset[i]);
} }
av_freep(&s->bitstream); av_freep(&s->bitstream);
av_freep(&s->coeffs);
return 0; return 0;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment