undefined-behavior at libavcodec/ac3enc.c and heap buffer overflow at zmbvenc.c:97

[Suhwan]

Summary of the bug:
There're an undefined-behavior at libavcodec/ac3enc.c:1068:37 and a heap buffer overflow at zmbvenc.c:97.

How to reproduce:

% ffmpeg_g  -y -r 79 -i tmp.webm -map 0 -c:v zmbv -c:v:80 asv1 -disposition:v:60 zmbv -disposition:s pcm_s8 -ab 962 -ar 48000 -ac 10 -b:v 399k tmp_.avi

ffmpeg version : N-94163-g664a27ea40
built with clang version 9.0.0

1064 static int bit_alloc(AC3EncodeContext *s, int snr_offset)
1065 {
1066     int blk, ch;
1067 
1068     snr_offset = (snr_offset - 240) << 2;
1069 
1070     reset_block_bap(s);
1071     for (blk = 0; blk < s->num_blocks; blk++) {
1072         AC3Block *block = &s->blocks[blk];
1073 
1074         for (ch = !block->cpl_in_use; ch <= s->channels; ch++) {
1075             /* Currently the only bit allocation parameters which vary across
1076                blocks within a frame are the exponent values.  We can take
1077                advantage of that by reusing the bit allocation pointers
1078                whenever we reuse exponents. */
1079             if (s->exp_strategy[ch][blk] != EXP_REUSE) {
1080                 s->ac3dsp.bit_alloc_calc_bap(block->mask[ch], block->psd[ch],
1081                                              s->start_freq[ch], block->end_freq[ch],
1082                                              snr_offset, s->bit_alloc.floor,
1083                                              ff_ac3_bap_tab, s->ref_bap[ch][blk]);
1084             }
1085         }
1086     }
1087     return count_mantissa_bits(s);
1088 }

[mkver]

The ac3-bug has been fixed in 2f289ec914cc7e8133858d4f9e8d91dab685ae44.

[mkver]

The zmbvenc bug has been fixed in def04022f4a7058f99e669bfd978d431d79aec18.