Array overflows
x264 keeps a set of pointers to various arrays used for custom quantization matrices (CQMs), deadzone biases, etc. These are stored in the primary x264_t struct as follows:
uint16_t (*quant4_bias[4])[16]; /* [4][52][16] */
uint16_t (*quant8_bias[2])[64]; /* [2][52][64] */
They are malloced at the start of the program and deleted when x264 finishes. Unfortunately the delete code looks something like this:
for( i = 0; i < 6; i++ )
{
…
x264_free( h->quant4_bias[i] );
}
A small part of me died when I read this code. Yes, that’s right, its overflowing the array of pointers intentionally because they’re arranged sequentially in the struct. Apparently, according to Loren Merritt, this simplifies the deletion code.
Leave a Reply