On 15.12.2015 08:17, Anton Khirnov wrote:
> Can you share the sample that shows the problem?
I could, but it's of no use for comparing with libopus, because their
decoder errors out in an unrelated check.
> From what I can see, libopus does not do any clipping at that point, so
> something else must ensure that there is no overflow.
Indeed, the real problem is just a silly typo...
It might have been caused by the fact that the specification uses
i and k in exactly the opposite way than the code.
New patch attached.
Best regards,
Andreas
>From d3b2c24d391d7871b978b3372f0f740730996ded Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
Date: Tue, 15 Dec 2015 22:00:31 +0100
Subject: [PATCH] opus_silk: fix typo causing overflow in silk_stabilize_lsf
Due to this typo max_center can be too large, causing nlsf to be set to
too large values, which in turn can cause nlsf[i - 1] + min_delta[i] to
overflow to a negative value, which is not allowed for nlsf and can
cause an out of bounds read in silk_lsf2lpc.
Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
---
libavcodec/opus_silk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/opus_silk.c b/libavcodec/opus_silk.c
index 841d1ed..73526f9 100644
--- a/libavcodec/opus_silk.c
+++ b/libavcodec/opus_silk.c
@@ -824,7 +824,7 @@ static inline void silk_stabilize_lsf(int16_t nlsf[16], int order, const uint16_
/* upper extent */
for (i = order; i > k; i--)
- max_center -= min_delta[k];
+ max_center -= min_delta[i];
max_center -= min_delta[k] >> 1;
/* move apart */
--
2.6.2
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
