libopusdec: fix out-of-bounds read

[ffmpeg] / libavcodec / elbg.c

diff --git a/libavcodec/elbg.c b/libavcodec/elbg.c
index ede863e9bed091c6f412ab6117effd5ce3911dc0..07bb2e31176bae201ce42e412a9e55ff7829fe07 100644 (file)
--- a/libavcodec/elbg.c
+++ b/libavcodec/elbg.c
@@ -1,20 +1,20 @@
 /*
  * Copyright (C) 2007 Vitor Sessak <vitor1001@gmail.com>
  *
- * This file is part of FFmpeg.
+ * This file is part of Libav.
  *
- * FFmpeg is free software; you can redistribute it and/or
+ * Libav is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
  * License as published by the Free Software Foundation; either
  * version 2.1 of the License, or (at your option) any later version.
  *
- * FFmpeg is distributed in the hope that it will be useful,
+ * Libav is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  * Lesser General Public License for more details.
  *
  * You should have received a copy of the GNU Lesser General Public
- * License along with FFmpeg; if not, write to the Free Software
+ * License along with Libav; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  */
 
@@ -25,11 +25,12 @@
 
 #include <string.h>
 
+#include "libavutil/common.h"
 #include "libavutil/lfg.h"
 #include "elbg.h"
 #include "avcodec.h"
 
-#define DELTA_ERR_MAX 0.1  ///< Precision of the ELBG algorithm (as percentual error)
+#define DELTA_ERR_MAX 0.1  ///< Precision of the ELBG algorithm (as percentage error)
 
 /**
  * In the ELBG jargon, a cell is the set of points that are closest to a
@@ -42,7 +43,7 @@ typedef struct cell_s {
 /**
  * ELBG internal data
  */
-typedef struct{
+typedef struct elbg_data {
     int error;
     int dim;
     int numCB;
@@ -110,7 +111,7 @@ static int get_high_utility_cell(elbg_data *elbg)
     while (elbg->utility_inc[i] < r)
         i++;
 
-    assert(!elbg->cells[i]);
+    assert(elbg->cells[i]);
 
     return i;
 }
@@ -188,7 +189,7 @@ static void get_new_centroids(elbg_data *elbg, int huc, int *newcentroid_i,
 
 /**
  * Add the points in the low utility cell to its closest cell. Split the high
- * utility cell, putting the separed points in the (now empty) low utility
+ * utility cell, putting the separated points in the (now empty) low utility
  * cell.
  *
  * @param elbg         Internal elbg data
@@ -322,41 +323,48 @@ static void do_shiftings(elbg_data *elbg)
 
 #define BIG_PRIME 433494437LL
 
-void ff_init_elbg(int *points, int dim, int numpoints, int *codebook,
-                  int numCB, int max_steps, int *closest_cb,
-                  AVLFG *rand_state)
+int ff_init_elbg(int *points, int dim, int numpoints, int *codebook,
+                 int numCB, int max_steps, int *closest_cb,
+                 AVLFG *rand_state)
 {
-    int i, k;
+    int i, k, ret = 0;
 
     if (numpoints > 24*numCB) {
         /* ELBG is very costly for a big number of points. So if we have a lot
            of them, get a good initial codebook to save on iterations       */
         int *temp_points = av_malloc(dim*(numpoints/8)*sizeof(int));
+        if (!temp_points)
+            return AVERROR(ENOMEM);
         for (i=0; i<numpoints/8; i++) {
             k = (i*BIG_PRIME) % numpoints;
             memcpy(temp_points + i*dim, points + k*dim, dim*sizeof(int));
         }
 
-        ff_init_elbg(temp_points, dim, numpoints/8, codebook, numCB, 2*max_steps, closest_cb, rand_state);
-        ff_do_elbg(temp_points, dim, numpoints/8, codebook, numCB, 2*max_steps, closest_cb, rand_state);
-
+        ret = ff_init_elbg(temp_points, dim, numpoints / 8, codebook,
+                           numCB, 2 * max_steps, closest_cb, rand_state);
+        if (ret < 0) {
+            av_freep(&temp_points);
+            return ret;
+        }
+        ret = ff_do_elbg(temp_points, dim, numpoints / 8, codebook,
+                         numCB, 2 * max_steps, closest_cb, rand_state);
         av_free(temp_points);
 
     } else  // If not, initialize the codebook with random positions
         for (i=0; i < numCB; i++)
             memcpy(codebook + i*dim, points + ((i*BIG_PRIME)%numpoints)*dim,
                    dim*sizeof(int));
-
+    return ret;
 }
 
-void ff_do_elbg(int *points, int dim, int numpoints, int *codebook,
+int ff_do_elbg(int *points, int dim, int numpoints, int *codebook,
                 int numCB, int max_steps, int *closest_cb,
                 AVLFG *rand_state)
 {
     int dist;
     elbg_data elbg_d;
     elbg_data *elbg = &elbg_d;
-    int i, j, k, last_error, steps=0;
+    int i, j, k, last_error, steps = 0, ret = 0;
     int *dist_cb = av_malloc(numpoints*sizeof(int));
     int *size_part = av_malloc(numCB*sizeof(int));
     cell *list_buffer = av_malloc(numpoints*sizeof(cell));
@@ -374,6 +382,12 @@ void ff_do_elbg(int *points, int dim, int numpoints, int *codebook,
     elbg->utility_inc = av_malloc(numCB*sizeof(int));
     elbg->scratchbuf = av_malloc(5*dim*sizeof(int));
 
+    if (!dist_cb || !size_part || !list_buffer || !elbg->cells ||
+        !elbg->utility || !elbg->utility_inc || !elbg->scratchbuf) {
+        ret = AVERROR(ENOMEM);
+        goto out;
+    }
+
     elbg->rand_state = rand_state;
 
     do {
@@ -426,6 +440,7 @@ void ff_do_elbg(int *points, int dim, int numpoints, int *codebook,
     } while(((last_error - elbg->error) > DELTA_ERR_MAX*elbg->error) &&
             (steps < max_steps));
 
+out:
     av_free(dist_cb);
     av_free(size_part);
     av_free(elbg->utility);
@@ -433,4 +448,5 @@ void ff_do_elbg(int *points, int dim, int numpoints, int *codebook,
     av_free(elbg->cells);
     av_free(elbg->utility_inc);
     av_free(elbg->scratchbuf);
+    return ret;
 }