aacdec: Fix an off-by-one overwrite when switching to LTP profile from MAIN.
authorAlex Converse <alex.converse@gmail.com>
Wed, 12 Dec 2012 01:26:10 +0000 (17:26 -0800)
committerReinhard Tartler <siretart@tauware.de>
Sat, 12 Jan 2013 16:59:39 +0000 (17:59 +0100)
Found-by: pawlkt
CC: libav-stable@libav.org
Fixes: CVE-2012-5144
(cherry picked from commit 6d5b0092678b2a95dfe209a207550bd2fe9ef646)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
libavcodec/aacdec.c

index 2b9b45c..6478c77 100644 (file)
@@ -1747,7 +1747,7 @@ static void apply_tns(float coef[1024], TemporalNoiseShaping *tns,
     int w, filt, m, i;
     int bottom, top, order, start, end, size, inc;
     float lpc[TNS_MAX_ORDER];
-    float tmp[TNS_MAX_ORDER];
+    float tmp[TNS_MAX_ORDER + 1];
 
     for (w = 0; w < ics->num_windows; w++) {
         bottom = ics->num_swb;