[FFmpeg-devel] [PATCH 1/1] aacenc_pred: prevent UB in ff_aac_adjust_common_pred()

[Andreas Rheinhardt]

Sean McGovern:
> ---
>  libavcodec/aacenc_pred.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/libavcodec/aacenc_pred.c b/libavcodec/aacenc_pred.c
> index f87fcd5a00..d3efade85e 100644
> --- a/libavcodec/aacenc_pred.c
> +++ b/libavcodec/aacenc_pred.c
> @@ -162,9 +162,11 @@ void ff_aac_adjust_common_pred(AACEncContext *s, ChannelElement *cpe)
>          sce1->ics.window_sequence[0] == EIGHT_SHORT_SEQUENCE)
>          return;
>  
> +    const int num_swb = FFMIN(sce0->ics.num_swb, sizeof(sce0->ics.prediction_used));
> +
>      for (w = 0; w < sce0->ics.num_windows; w += sce0->ics.group_len[w]) {
>          start = 0;
> -        for (g = 0; g < sce0->ics.num_swb; g++) {
> +        for (g = 0; g < num_swb; g++) {
>              int sfb = w*16+g;
>              int sum = sce0->ics.prediction_used[sfb] + sce1->ics.prediction_used[sfb];
>              float ener0 = 0.0f, ener1 = 0.0f, ener01 = 0.0f;

As you can see, the actual index used for accesses is w*16 + g and not
only g. So I was surprised that your fix fixed the test (as you claim).
Digging into the code, num_windows can be either 1 or eight and it is
only eight if window_sequence[0] is EIGHT_SHORT_SEQUENCE (see lines
477-488 in aacpsy.c as well as lines 877-897 in aacenc.c). In case
window_sequence[0] is EIGHT_SHORT_SEQUENCE, we do not even enter this
loop in ff_aac_adjust_common_pred(). This means that the outer loop
above is actually not a loop at all and your fix would indeed fix the
undefined behaviour.
But this also shows that this whole code is a mess. Someone who actually
knows it should take a look. Or maybe the grim reaper.
Anyway, your fix would lead to a wdeclaration-after-statement warning.

- Andreas