From 4bf2e7c5f1c0ad3997fd7c9859c16db8e4e16df6 Mon Sep 17 00:00:00 2001
From: Mans Rullgard <mans@mansr.com>
Date: Tue, 1 May 2012 18:27:19 +0100
Subject: twinvq: fix out of bounds array access

ModeTab.fmode has only 3 elements, so indexing it with ftype
in the initialier for 'size' is invalid when ftype == FT_PPC.

This fixes crashes with gcc 4.8.

Signed-off-by: Mans Rullgard <mans@mansr.com>
---
 libavcodec/twinvq.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'libavcodec/twinvq.c')

diff --git a/libavcodec/twinvq.c b/libavcodec/twinvq.c
index 1577d77be3..67bc16088e 100644
--- a/libavcodec/twinvq.c
+++ b/libavcodec/twinvq.c
@@ -1000,14 +1000,16 @@ static av_cold void construct_perm_table(TwinContext *tctx,enum FrameType ftype)
 {
     int block_size;
     const ModeTab *mtab = tctx->mtab;
-    int size = tctx->avctx->channels*mtab->fmode[ftype].sub;
+    int size;
     int16_t *tmp_perm = (int16_t *) tctx->tmp_buf;
 
     if (ftype == FT_PPC) {
         size  = tctx->avctx->channels;
         block_size = mtab->ppc_shape_len;
-    } else
+    } else {
+        size       = tctx->avctx->channels * mtab->fmode[ftype].sub;
         block_size = mtab->size / mtab->fmode[ftype].sub;
+    }
 
     permutate_in_line(tmp_perm, tctx->n_div[ftype], size,
                       block_size, tctx->length[ftype],
-- 
cgit v1.2.3