ac3dec: fix bugs in direct buffer use.

This fixes potentially exploitable out of array writes. Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
12 years ago · 7aabeea9ba
parent 529d3e0026
commit 7aabeea9ba
1 changed files with 7 additions and 3 deletions
--- a/libavcodec/ac3dec.c
+++ b/libavcodec/ac3dec.c
@ -1384,12 +1384,14 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,

    /* decode the audio blocks */
    channel_map = ff_ac3_dec_channel_map[s->output_mode & ~AC3_OUTPUT_LFEON][s->lfe_on];
+    for (ch = 0; ch < AC3_MAX_CHANNELS; ch++) {
+        output[ch] = s->output[ch];
+    }
    for (ch = 0; ch < s->channels; ch++) {
        if (ch < s->out_channels)
            s->outptr[channel_map[ch]] = (float *)s->frame.data[ch];
        else
            s->outptr[ch] = s->output[ch];
-        output[ch] = s->output[ch];
    }
    for (blk = 0; blk < s->num_blocks; blk++) {
        if (!err && decode_audio_block(s, blk)) {
@ -1398,10 +1400,12 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
        }
        if (err)
            for (ch = 0; ch < s->out_channels; ch++)
-                memcpy(s->outptr[channel_map[ch]], output[ch], 1024);
+                memcpy(((float*)s->frame.data[ch]) + AC3_BLOCK_SIZE*blk, output[ch], 1024);
        for (ch = 0; ch < s->out_channels; ch++) {
            output[ch] = s->outptr[channel_map[ch]];
-            s->outptr[channel_map[ch]] += AC3_BLOCK_SIZE;
+        }
+        for (ch = 0; ch < s->channels; ch++) {
+            s->outptr[ch] += AC3_BLOCK_SIZE;
        }
    }