File ffmpeg-CVE-2020-22026.patch of Package ffmpeg.28802
From 58bb9d3a3a6ede1c6cfb82bf671a5f138e6b2144 Mon Sep 17 00:00:00 2001
From: Paul B Mahol <onemda@gmail.com>
Date: Sat, 19 Oct 2019 19:34:47 +0200
Subject: [PATCH] avfilter/af_tremolo: fix heap-buffer overflow
Fixes #8317
---
libavfilter/af_tremolo.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/libavfilter/af_tremolo.c b/libavfilter/af_tremolo.c
index 8cbc79892d..f55e8e2b09 100644
--- a/libavfilter/af_tremolo.c
+++ b/libavfilter/af_tremolo.c
@@ -28,6 +28,7 @@ typedef struct TremoloContext {
double freq;
double depth;
double *table;
+ int table_size;
int index;
} TremoloContext;
@@ -72,7 +73,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
dst += channels;
src += channels;
s->index++;
- if (s->index >= inlink->sample_rate / s->freq)
+ if (s->index >= s->table_size)
s->index = 0;
}
@@ -125,11 +126,12 @@ static int config_input(AVFilterLink *inlink)
const double offset = 1. - s->depth / 2.;
int i;
- s->table = av_malloc_array(inlink->sample_rate / s->freq, sizeof(*s->table));
+ s->table_size = inlink->sample_rate / s->freq;
+ s->table = av_malloc_array(s->table_size, sizeof(*s->table));
if (!s->table)
return AVERROR(ENOMEM);
- for (i = 0; i < inlink->sample_rate / s->freq; i++) {
+ for (i = 0; i < s->table_size; i++) {
double env = s->freq * i / inlink->sample_rate;
env = sin(2 * M_PI * fmod(env + 0.25, 1.0));
s->table[i] = env * (1 - fabs(offset)) + offset;
--
2.31.1