From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id 62146426A0
	for <ffmpegdev@gitmailbox.com>; Thu,  6 Jan 2022 00:43:54 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 45E7168AA82;
	Thu,  6 Jan 2022 02:43:51 +0200 (EET)
Received: from m2osw.com (m2osw.com [138.197.205.139])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 4A64B68A75B
 for <ffmpeg-devel@ffmpeg.org>; Thu,  6 Jan 2022 02:43:44 +0200 (EET)
Received: by m2osw.com (Postfix, from userid 1000)
 id C06AC3F170; Thu,  6 Jan 2022 00:43:41 +0000 (UTC)
From: AlexisWilke <alexis@m2osw.com>
Date: Wed, 5 Jan 2022 16:26:09 -0800
X-Unsent: 1
To: ffmpeg-devel@ffmpeg.org
Message-Id: <20220106004341.C06AC3F170@m2osw.com>
Subject: [FFmpeg-devel] [PATCH] Fix for possible buffer overflow.
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20220106004341.C06AC3F170@m2osw.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

If it is true that the (index + c) can be larger than s->limiter_buf_size
then the overflow potential has to be handled in the previous two statements.

Signed-off-by: AlexisWilke <alexis@m2osw.com>
---
 libavfilter/af_loudnorm.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/libavfilter/af_loudnorm.c b/libavfilter/af_loudnorm.c
index dbe7fba986..9e6a830a56 100644
--- a/libavfilter/af_loudnorm.c
+++ b/libavfilter/af_loudnorm.c
@@ -206,10 +206,11 @@ static void detect_peak(LoudNormContext *s, int offset, int nb_samples, int chan
                     continue;
 
                 for (c = 0; c < channels; c++) {
-                    if (c == 0 || fabs(buf[index + c]) > max_peak)
-                        max_peak = fabs(buf[index + c]);
+                    int idx((index + c) < s->limiter_buf_size ? (index + c) : (index + c - s->limiter_buf_size));
+                    if (c == 0 || fabs(buf[idx]) > max_peak)
+                        max_peak = fabs(buf[idx]);
 
-                    s->prev_smp[c] = fabs(buf[(index + c) < s->limiter_buf_size ? (index + c) : (index + c - s->limiter_buf_size)]);
+                    s->prev_smp[c] = fabs(buf[idx]);
                 }
 
                 *peak_delta = n;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".