opus: Fix typo causing overflow in silk_stabilize_lsf
authorAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Tue, 15 Dec 2015 21:00:31 +0000 (22:00 +0100)
committerLuca Barbato <lu_zero@gentoo.org>
Wed, 16 Dec 2015 21:19:58 +0000 (22:19 +0100)
Due to this typo max_center can be too large, causing nlsf to be set to
too large values, which in turn can cause nlsf[i - 1] + min_delta[i] to
overflow to a negative value, which is not allowed for nlsf and can
cause an out of bounds read in silk_lsf2lpc.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
libavcodec/opus_silk.c

index f881325..583801d 100644 (file)
@@ -824,7 +824,7 @@ static inline void silk_stabilize_lsf(int16_t nlsf[16], int order, const uint16_
 
             /* upper extent */
             for (i = order; i > k; i--)
-                max_center -= min_delta[k];
+                max_center -= min_delta[i];
             max_center -= min_delta[k] >> 1;
 
             /* move apart */