On 16.04.2015 23:04, Michael Niedermayer wrote: > On Thu, Apr 16, 2015 at 09:25:26PM +0200, Andreas Cadhalpun wrote: >> This fixes an invalid read if end is 0: >> band_end = ff_ac3_bin_to_band_tab[end-1] + 1; >> >> Depending on what is before the array, this can cause stack smashing, >> when band_end becomes too large. >> >> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com> >> --- >> libavcodec/ac3.c | 3 +++ >> 1 file changed, 3 insertions(+) > > i think it would be better to (also) error out earlier when end_freq > would not be set to a valid value
I don't think it's possible to error out much earlier. One could add a check in ac3dec directly before calling ff_ac3_bit_alloc_calc_mask, but that would save just one function call. Whether that function is called depends on 'bit_alloc_stages[ch] > 1' and bit_alloc_stages is determined just a few lines before that call. On the other hand maybe that function shouldn't be called at all in the 's->exp_strategy[blk][ch] == EXP_REUSE' case? > but checking in ff_ac3_bit_alloc_calc_mask() is possibly more robust > so applied Yes, it's more robust and the function is also called from the encoder. Best regards, Andreas _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
