Commit 7aabeea9 authored by Michael Niedermayer's avatar Michael Niedermayer

ac3dec: fix bugs in direct buffer use.

This fixes potentially exploitable out of array writes.
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent 529d3e00
...@@ -1384,12 +1384,14 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, ...@@ -1384,12 +1384,14 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
/* decode the audio blocks */ /* decode the audio blocks */
channel_map = ff_ac3_dec_channel_map[s->output_mode & ~AC3_OUTPUT_LFEON][s->lfe_on]; channel_map = ff_ac3_dec_channel_map[s->output_mode & ~AC3_OUTPUT_LFEON][s->lfe_on];
for (ch = 0; ch < AC3_MAX_CHANNELS; ch++) {
output[ch] = s->output[ch];
}
for (ch = 0; ch < s->channels; ch++) { for (ch = 0; ch < s->channels; ch++) {
if (ch < s->out_channels) if (ch < s->out_channels)
s->outptr[channel_map[ch]] = (float *)s->frame.data[ch]; s->outptr[channel_map[ch]] = (float *)s->frame.data[ch];
else else
s->outptr[ch] = s->output[ch]; s->outptr[ch] = s->output[ch];
output[ch] = s->output[ch];
} }
for (blk = 0; blk < s->num_blocks; blk++) { for (blk = 0; blk < s->num_blocks; blk++) {
if (!err && decode_audio_block(s, blk)) { if (!err && decode_audio_block(s, blk)) {
...@@ -1398,10 +1400,12 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, ...@@ -1398,10 +1400,12 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
} }
if (err) if (err)
for (ch = 0; ch < s->out_channels; ch++) for (ch = 0; ch < s->out_channels; ch++)
memcpy(s->outptr[channel_map[ch]], output[ch], 1024); memcpy(((float*)s->frame.data[ch]) + AC3_BLOCK_SIZE*blk, output[ch], 1024);
for (ch = 0; ch < s->out_channels; ch++) { for (ch = 0; ch < s->out_channels; ch++) {
output[ch] = s->outptr[channel_map[ch]]; output[ch] = s->outptr[channel_map[ch]];
s->outptr[channel_map[ch]] += AC3_BLOCK_SIZE; }
for (ch = 0; ch < s->channels; ch++) {
s->outptr[ch] += AC3_BLOCK_SIZE;
} }
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment