diff options
| author | Mans Rullgard <mans@mansr.com> | 2012-05-01 18:27:19 +0100 |
|---|---|---|
| committer | Mans Rullgard <mans@mansr.com> | 2012-05-01 20:17:07 +0100 |
| commit | 4bf2e7c5f1c0ad3997fd7c9859c16db8e4e16df6 (patch) | |
| tree | 72c3aa69ada9538a262e53dc0aa8985c7a84e69f | |
| parent | 4010d724e1d57858d56bff66fa245f2d5646be6e (diff) | |
| download | ffmpeg-4bf2e7c5f1c0ad3997fd7c9859c16db8e4e16df6.tar.gz | |
twinvq: fix out of bounds array access
ModeTab.fmode has only 3 elements, so indexing it with ftype
in the initialier for 'size' is invalid when ftype == FT_PPC.
This fixes crashes with gcc 4.8.
Signed-off-by: Mans Rullgard <mans@mansr.com>
| -rw-r--r-- | libavcodec/twinvq.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/libavcodec/twinvq.c b/libavcodec/twinvq.c index 1577d77be3..67bc16088e 100644 --- a/libavcodec/twinvq.c +++ b/libavcodec/twinvq.c @@ -1000,14 +1000,16 @@ static av_cold void construct_perm_table(TwinContext *tctx,enum FrameType ftype) { int block_size; const ModeTab *mtab = tctx->mtab; - int size = tctx->avctx->channels*mtab->fmode[ftype].sub; + int size; int16_t *tmp_perm = (int16_t *) tctx->tmp_buf; if (ftype == FT_PPC) { size = tctx->avctx->channels; block_size = mtab->ppc_shape_len; - } else + } else { + size = tctx->avctx->channels * mtab->fmode[ftype].sub; block_size = mtab->size / mtab->fmode[ftype].sub; + } permutate_in_line(tmp_perm, tctx->n_div[ftype], size, block_size, tctx->length[ftype], |