From 2cb8edea7c9af336f3fa60ac8a0f9b8a17e92188 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jan 2016 15:05:38 +0100 Subject: [PATCH] avcodec/aacenc: Check all coefficients for finiteness This is needed as near infinite values on the input side result in only some output to be non finite. Also it may still be insufficient if subsequent computations overflow Fixes null pointer dereference Fixes: ae66c0f6c12ac1cd5c2c237031240f57/signal_sigsegv_2618c99_9516_6007026f2185a26d7afea895fbed6e38.ogg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Reviewed-by: Claudio Freire Signed-off-by: Michael Niedermayer --- libavcodec/aacenc.c | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index fe5476346a..553a5ae42d 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -544,6 +544,7 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, chans = tag == TYPE_CPE ? 2 : 1; cpe = &s->cpe[i]; for (ch = 0; ch < chans; ch++) { + int k; float clip_avoidance_factor; sce = &cpe->ch[ch]; ics = &sce->ics; @@ -607,17 +608,11 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, s->mdct1024.mdct_calc(&s->mdct1024, sce->lcoeffs, sce->ret_buf); } - if (!(isfinite(cpe->ch[ch].coeffs[ 0]) && - isfinite(cpe->ch[ch].coeffs[ 128]) && - isfinite(cpe->ch[ch].coeffs[2*128]) && - isfinite(cpe->ch[ch].coeffs[3*128]) && - isfinite(cpe->ch[ch].coeffs[4*128]) && - isfinite(cpe->ch[ch].coeffs[5*128]) && - isfinite(cpe->ch[ch].coeffs[6*128]) && - isfinite(cpe->ch[ch].coeffs[7*128])) - ) { - av_log(avctx, AV_LOG_ERROR, "Input contains NaN/+-Inf\n"); - return AVERROR(EINVAL); + for (k = 0; k < 1024; k++) { + if (!isfinite(cpe->ch[ch].coeffs[k])) { + av_log(avctx, AV_LOG_ERROR, "Input contains NaN/+-Inf\n"); + return AVERROR(EINVAL); + } } avoid_clipping(s, sce); }