[libav-bugs] [Bug 217] New: amrwb code typo suggests (but isn't) a bug

bugzilla-daemon at aruru.libav.org bugzilla-daemon at aruru.libav.org
Mon Jan 30 21:40:45 CET 2012


http://bugzilla.libav.org/show_bug.cgi?id=217

           Summary: amrwb code typo suggests (but isn't) a bug
           Product: Libav
           Version: git HEAD
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: minor
          Priority: Normal
         Component: libavcodec
        AssignedTo: bugzilla at libav.org
        ReportedBy: rsbultje at gmail.com


>From http://code.google.com/p/chromium/issues/detail?id=110371:

===========

I found a buffer access out of bounds issue in file :
chromiumroot/src/third_party/ffmpeg/patched-ffmpeg/libavcodec/amrwbdec.c Please
take a look at following code fragment at line 930:

static void extrapolate_isf(float out[LP_ORDER_16k], float isf[LP_ORDER])
{
 ....

    for (i = LP_ORDER - 1; i < LP_ORDER_16k - 1; i++)
        out[i] = isf[i - 1] + isf[i - 1 - i_max_corr]
                            - isf[i - 2 - i_max_corr];

....
}

The defines LP_ORDER and LP_ORDER_16k are defined in file amrwbdata.h at line
33 and 34:
#define LP_ORDER            16                ///< linear predictive coding
filter order
#define LP_ORDER_16k        20                ///< lpc filter order at 16kHz

...
Using the array sizes LP_ORDER and LP_ORDER_16k the code snipped from
amrwbdec.c can be simplified to:
static void extrapolate_isf(float out[20], float isf[16])
{
 ....

    for (i = 16 - 1; i < 20 - 1; i++)
        out[i] = isf[i - 1] + isf[i - 1 - i_max_corr]
                            - isf[i - 2 - i_max_corr];

....
}
As you can see, the buffer isf is accessed out of bounds!

Best regards 

Ettl Martin 

===========

The actual problem here is that the function arguments suggest that the arrays
have a specific size. They are actually larger, and that isn't clear from the
code, so we should probably fix the function declaration to show that isf[]
(and out[]) are pointers rather than arrays of fixed size.

-- 
Configure bugmail: http://bugzilla.libav.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.


More information about the libav-bugs mailing list