[FFmpeg-devel] [PATCH] aaccoder: prevent crash of anmr coder
Claudio Freire
klaussfreire at gmail.com
Wed Dec 9 19:08:53 CET 2015
On Sun, Dec 6, 2015 at 6:36 PM, Andreas Cadhalpun
<andreas.cadhalpun at googlemail.com> wrote:
> The other is a regression since 01ecb71, so I hope you know how to fix that.
> In search_for_pns in libavcodec/aaccoder.c:
> for (w = 0; w < sce->ics.num_windows; w += sce->ics.group_len[w]) {
> [...]
> for (g = 0; g < sce->ics.num_swb; g++) {
> [...]
> for (w2 = 0; w2 < sce->ics.group_len[w]; w2++) {
> [...]
> }
> if (g && sce->sf_idx[(w+w2)*16+g-1] == NOISE_BT) {
>
> At this point w+w2 can be sce->ics.num_windows, which causes an
> out-of-bounds read.
I don't see how that can happen.
Do you have the input that triggers this?
More information about the ffmpeg-devel
mailing list