On 3/28/2018 3:59 PM, Paul B Mahol wrote:
> Signed-off-by: Paul B Mahol <[email protected]>
> ---
> libavcodec/aac_ac3_parser.c | 9 ++-
> libavcodec/ac3_parser.c | 2 +-
> libavcodec/ac3dec.c | 177
> +++++++++++++++++++++++++++++++++++---------
> libavcodec/ac3dec.h | 10 ++-
> libavcodec/eac3dec.c | 11 +--
> tests/ref/fate/ts-demux | 2 +-
> tests/ref/seek/lavf-rm | 6 +-
> 7 files changed, 164 insertions(+), 53 deletions(-)
>
> @@ -1463,14 +1483,17 @@ static int ac3_decode_frame(AVCodecContext * avctx,
> void *data,
> {
> AVFrame *frame = data;
> const uint8_t *buf = avpkt->data;
> - int buf_size = avpkt->size;
> + int buf_size, full_buf_size = avpkt->size;
> AC3DecodeContext *s = avctx->priv_data;
> - int blk, ch, err, ret;
> + int blk, ch, err, offset, ret;
> + int got_independent_frame = 0;
> const uint8_t *channel_map;
> + uint8_t extended_channel_map[AC3_MAX_CHANNELS * 2];
AC3_MAX_CHANNELS is 7
[...]
> + for (ch = 0; ch < 16; ch++)
> + extended_channel_map[ch] = ch;
Which means an out of array access takes place here.
This is making all ac3 and eac3 tests crash with SIGABRT on Linux GCC
when -fstack-protector is enabled (which is on by default).
http://fate.ffmpeg.org/report.cgi?time=20180329202433&slot=x86_64-archlinux-gcc-threads-auto
[...]
> @@ -239,11 +242,12 @@ typedef struct AC3DecodeContext {
> ///@name Aligned arrays
> DECLARE_ALIGNED(16, int,
> fixed_coeffs)[AC3_MAX_CHANNELS][AC3_MAX_COEFS]; ///< fixed-point
> transform coefficients
> DECLARE_ALIGNED(32, INTFLOAT,
> transform_coeffs)[AC3_MAX_CHANNELS][AC3_MAX_COEFS]; ///< transform
> coefficients
> - DECLARE_ALIGNED(32, INTFLOAT, delay)[AC3_MAX_CHANNELS][AC3_BLOCK_SIZE];
> ///< delay - added to the next block
> + DECLARE_ALIGNED(32, INTFLOAT, delay)[2 *
> AC3_MAX_CHANNELS][AC3_BLOCK_SIZE]; ///< delay - added to the next
> block
> DECLARE_ALIGNED(32, INTFLOAT, window)[AC3_BLOCK_SIZE];
> ///< window coefficients
> DECLARE_ALIGNED(32, INTFLOAT, tmp_output)[AC3_BLOCK_SIZE];
> ///< temporary storage for output before windowing
> - DECLARE_ALIGNED(32, SHORTFLOAT,
> output)[AC3_MAX_CHANNELS][AC3_BLOCK_SIZE]; ///< output after imdct
> transform and windowing
> + DECLARE_ALIGNED(32, SHORTFLOAT, output)[2 *
> AC3_MAX_CHANNELS][AC3_BLOCK_SIZE]; ///< output after imdct
> transform and windowing
> DECLARE_ALIGNED(32, uint8_t, input_buffer)[AC3_FRAME_BUFFER_SIZE +
> AV_INPUT_BUFFER_PADDING_SIZE]; ///< temp buffer to prevent overread
> + DECLARE_ALIGNED(32, SHORTFLOAT, output_buffer)[2 *
> AC3_MAX_CHANNELS][AC3_BLOCK_SIZE * 6]; ///< final output buffer
Not sure if the same happens with these, but better make sure.
_______________________________________________
ffmpeg-devel mailing list
[email protected]
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
