| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The stereowiden filter uses a buffer, s->buffer[], and a pointer
within the buffer, s->write, to implement inter-channel delays.
The loop which applies the delayed samples turns out to be faulty.
109 for (n = 0; n < in->nb_samples; n++, src += 2, dst += 2) {
110 const float left = src[0], right = src[1];
111 float *read = s->write + 2;
112
113 if (read > s->buffer + s->length)
114 read = s->buffer;
115
116 dst[0] = drymix * left - crossfeed * right - feedback * read[1];
117 dst[1] = drymix * right - crossfeed * left - feedback * read[0];
118
119 s->write[0] = left;
120 s->write[1] = right;
121
122 if (s->write == s->buffer + s->length)
123 s->write = s->buffer;
124 else
125 s->write += 2;
126 }
For one, the buffer gets written past its end in lines 119-120, before
the bound check is done in lines 122-123. This can be easily confirmed
by valgrind.
==3544== Invalid read of size 4
==3544== at 0x593B41: filter_frame (af_stereowiden.c:116)
==3544== Address 0xb1b03c4 is 4 bytes after a block of size 7,680 alloc'd
==3544==
==3544== Invalid read of size 4
==3544== at 0x593B66: filter_frame (af_stereowiden.c:117)
==3544== Address 0xb1b03c0 is 0 bytes after a block of size 7,680 alloc'd
==3544==
==3544== Invalid write of size 4
==3544== at 0x593B79: filter_frame (af_stereowiden.c:119)
==3544== Address 0xb1b03c0 is 0 bytes after a block of size 7,680 alloc'd
==3544==
==3544== Invalid write of size 4
==3544== at 0x593B7D: filter_frame (af_stereowiden.c:120)
==3544== Address 0xb1b03c4 is 4 bytes after a block of size 7,680 alloc'd
Also, using two separate pointers, s->write and read = s->write + 2,
does not seem to be well thought out. To apply the delay of s->buffer[],
it is enough to read the delayed samples at the current position within
the buffer, and then to store new samples at the same current position.
Thus the application of delayed samples can probably be best described
with a single pointer s->cur.
I also introduce a minor change to ensure that the size of s->buffer[]
is always a multiple of 2. Since the delay parameter is a float, it is
otherwise possible to trick the code into allocating off-by-one buffer.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Many of the functions from avfilter/formats can return errors, usually AVERROR(ENOMEM).
This propagates the return values.
All of these were found by using av_warn_unused_result, demonstrating its utility.
Tested with FATE. I am least sure of the changes to avfilter/filtergraph,
since I don't know what/how reduce_format is intended to behave and how it should
react to errors.
Fixes: CID 1325680, 1325679, 1325678.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Previous version Reviewed-by: Nicolas George <george@nsup.org>
Previous version Reviewed-by: Clément Bœsch <u@pkh.me>
Signed-off-by: Ganesh Ajjanagadde <gajjanagadde@gmail.com>
|
