On Wed, Dec 9, 2015 at 5:29 PM, Claudio Freire <klaussfre...@gmail.com> wrote:
> On Wed, Dec 9, 2015 at 4:42 PM, Andreas Cadhalpun
> <andreas.cadhal...@googlemail.com> wrote:
>>>> [...]
>>>> for (w2 = 0; w2 < sce->ics.group_len[w]; w2++) {
>>>> [...]
>>>> }
>>
>> Now we are after the w2-loop and thus:
>> w2 = sce->ics.group_len[w] = 2
>>
>
>
> Ah, I see, it's outside the loop!
>
> Pushing a fix.
Seems I cannot push from this computer (I don't have the key at hand).
So, attached a patch that ought to fix this crash
From 73c14b6684d7ccbd91b80c3dc4a615e40a321494 Mon Sep 17 00:00:00 2001
From: Claudio Freire <klaussfre...@gmail.com>
Date: Wed, 9 Dec 2015 17:36:32 -0300
Subject: [PATCH] AAC encoder: fix OOB access in search_for_pns
Fix OOB access in search_for_pns which was using
w2 outside the window group loop, and fix a typo
in which it was checking sf_idx instead of band_type
---
libavcodec/aaccoder.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/aaccoder.c b/libavcodec/aaccoder.c
index 14862ec..7e55494 100644
--- a/libavcodec/aaccoder.c
+++ b/libavcodec/aaccoder.c
@@ -711,7 +711,7 @@ static void search_for_pns(AACEncContext *s, AVCodecContext *avctx, SingleChanne
/* Estimate rd on average as 5 bits for SF, 4 for the CB, plus spread energy * lambda/thr */
dist2 += band->energy/(band->spread*band->spread)*lambda*dist_thresh/band->threshold;
}
- if (g && sce->sf_idx[(w+w2)*16+g-1] == NOISE_BT) {
+ if (g && sce->band_type[w*16+g-1] == NOISE_BT) {
dist2 += 5;
} else {
dist2 += 9;
--
1.8.4.5
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
