ac3dec: fix bugs in direct buffer use.

This fixes potentially exploitable out of array writes. Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

ac3dec: fix bugs in direct buffer use.
This fixes potentially exploitable out of array writes. Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7aabeea9 · Michael Niedermayer · 529d3e00 · 7aabeea9
Commit 7aabeea9 authored Dec 10, 2012 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 3 deletions

ac3dec.c libavcodec/ac3dec.c +7 -3

No files found.
--- a/libavcodec/ac3dec.c
+++ b/libavcodec/ac3dec.c
@@ -1384,12 +1384,14 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,

    /* decode the audio blocks */
    channel_map = ff_ac3_dec_channel_map[s->output_mode & ~AC3_OUTPUT_LFEON][s->lfe_on];
+    for (ch = 0; ch < AC3_MAX_CHANNELS; ch++) {
+        output[ch] = s->output[ch];
+    }
    for (ch = 0; ch < s->channels; ch++) {
        if (ch < s->out_channels)
            s->outptr[channel_map[ch]] = (float *)s->frame.data[ch];
        else
            s->outptr[ch] = s->output[ch];
-        output[ch] = s->output[ch];
    }
    for (blk = 0; blk < s->num_blocks; blk++) {
        if (!err && decode_audio_block(s, blk)) {
@@ -1398,10 +1400,12 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
        }
        if (err)
            for (ch = 0; ch < s->out_channels; ch++)
-                memcpy(s->outptr[channel_map[ch]], output[ch], 1024);
+                memcpy(((float*)s->frame.data[ch]) + AC3_BLOCK_SIZE*blk, output[ch], 1024);
        for (ch = 0; ch < s->out_channels; ch++) {
            output[ch] = s->outptr[channel_map[ch]];
-            s->outptr[channel_map[ch]] += AC3_BLOCK_SIZE;
+        }
+        for (ch = 0; ch < s->channels; ch++) {
+            s->outptr[ch] += AC3_BLOCK_SIZE;
        }
    }