From fc6a3ef40d34ce8443ae57c2452f3f273d7d4891 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Mon, 16 Dec 2013 18:44:15 +0100 Subject: audio_mix: fix zeroing output channels in certain cases Specifically, when the corresponding input channel exists and its matrix column is all-zero (which is necessary for zeroing the output), the matrix column must be removed from the matrix. This is not done currently, so the mixing code would end up using uninitialized pointers from stack. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind --- libavresample/audio_mix.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'libavresample') diff --git a/libavresample/audio_mix.c b/libavresample/audio_mix.c index 765bc73441..211e3c93a9 100644 --- a/libavresample/audio_mix.c +++ b/libavresample/audio_mix.c @@ -559,9 +559,12 @@ static void reduce_matrix(AudioMix *am, const double *matrix, int stride) if (zero) { am->output_zero[o] = 1; am->out_matrix_channels--; + if (o < am->in_channels) + am->in_matrix_channels--; } } - if (am->out_matrix_channels == 0) { + if (am->out_matrix_channels == 0 || am->in_matrix_channels == 0) { + am->out_matrix_channels = 0; am->in_matrix_channels = 0; return; } @@ -683,7 +686,7 @@ int ff_audio_mix_set_matrix(AudioMix *am, const double *matrix, int stride) am->in_matrix_channels; \ for (i = 0, i0 = 0; i < am->in_channels; i++) { \ double v; \ - if (am->input_skip[i]) \ + if (am->input_skip[i] || am->output_zero[i]) \ continue; \ v = matrix[o * stride + i]; \ am->matrix_## type[o0][i0] = expr; \ -- cgit v1.2.3