[libav-commits] aacdec: Fix an off-by-one overwrite when switching to LTP profile from MAIN .

Alex Converse git at libav.org
Sat Jan 12 20:10:22 CET 2013


Module: libav
Branch: release/0.7
Commit: b143844ea0f6246e0d5a938d743e2e8a98453bec

Author:    Alex Converse <alex.converse at gmail.com>
Committer: Reinhard Tartler <siretart at tauware.de>
Date:      Tue Dec 11 17:26:10 2012 -0800

aacdec: Fix an off-by-one overwrite when switching to LTP profile from MAIN.

Found-by: pawlkt
CC: libav-stable at libav.org
Fixes: CVE-2012-5144
(cherry picked from commit 6d5b0092678b2a95dfe209a207550bd2fe9ef646)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>

---

 libavcodec/aacdec.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c
index cf7b43d..d479c94 100644
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -1692,7 +1692,7 @@ static void apply_tns(float coef[1024], TemporalNoiseShaping *tns,
     int w, filt, m, i;
     int bottom, top, order, start, end, size, inc;
     float lpc[TNS_MAX_ORDER];
-    float tmp[TNS_MAX_ORDER];
+    float tmp[TNS_MAX_ORDER + 1];
 
     for (w = 0; w < ics->num_windows; w++) {
         bottom = ics->num_swb;



More information about the libav-commits mailing list