summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorwm4 <wm4@nowhere>2012-08-26 21:40:54 +0200
committerwm4 <wm4@nowhere>2012-08-26 22:17:27 +0200
commit413c6f5b306ec3b36b3003d1834328960504ec1c (patch)
treea8bc668033e65f6e0db2db2bb23039ca70ad6991
parent424822b5378317628de2babff1b5da27d235764b (diff)
downloadmpv-413c6f5b306ec3b36b3003d1834328960504ec1c.tar.bz2
mpv-413c6f5b306ec3b36b3003d1834328960504ec1c.tar.xz
af_scaletempo: fix crash on channel reconfiguration
This crash happened when audio channels were reconfigured from 6 channels to 2, and playback speed was set to 2. The crash is caused by passing a negative size to memcpy. It appears reinitialization doesn't clear the buffer. As the result, the buffer can be larger as the maximum buffer size, i.e. the invariant bytes_queued <= bytes_queue is violated. Fix this by resetting the buffer length on reconfiguring (set the bytes_queued vairable to 0). Also reset some other state for clarity and robustness, although these changes aren't strictly needed for avoiding the actual crash. This may also get rid of some noise played right after reinitialization, as the re-used buffer was in the wrong audio format.
-rw-r--r--libaf/af_scaletempo.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/libaf/af_scaletempo.c b/libaf/af_scaletempo.c
index 4ea25bf9e3..7b951860d4 100644
--- a/libaf/af_scaletempo.c
+++ b/libaf/af_scaletempo.c
@@ -34,6 +34,7 @@
#include <stdlib.h>
#include <string.h>
#include <limits.h>
+#include <assert.h>
#include "af.h"
#include "libavutil/common.h"
@@ -104,6 +105,7 @@ static int fill_queue(struct af_instance_s* af, af_data_t* data, int offset)
if (bytes_in > 0) {
int bytes_copy = FFMIN(s->bytes_queue - s->bytes_queued, bytes_in);
+ assert(bytes_copy >= 0);
memcpy(s->buf_queue + s->bytes_queued,
(int8_t*)data->audio + offset,
bytes_copy);
@@ -331,6 +333,7 @@ static int control(struct af_instance_s* af, int cmd, void* arg)
s->bytes_standing = s->bytes_stride;
s->samples_standing = s->bytes_standing / bps;
s->output_overlap = NULL;
+ s->bytes_overlap = 0;
} else {
s->samples_overlap = frames_overlap * nch;
s->bytes_overlap = frames_overlap * nch * bps;
@@ -419,6 +422,9 @@ static int control(struct af_instance_s* af, int cmd, void* arg)
return AF_ERROR;
}
+ s->bytes_queued = 0;
+ s->bytes_to_slide = 0;
+
mp_msg (MSGT_AFILTER, MSGL_DBG2, "[scaletempo] "
"%.2f stride_in, %i stride_out, %i standing, "
"%i overlap, %i search, %i queue, %s mode\n",