avcodec/aac/aacdec_lpd: Limit get_unary()

The limit is based on later code storing 32bits Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 393164866/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-4606798354513920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2025-08-04 22:03:09 +02:00 · 2025-02-08 22:16:38 +01:00
parent 41cd72d76e
commit 464fb861b1
1 changed files with 6 additions and 3 deletions
--- a/libavcodec/aac/aacdec_lpd.c
+++ b/libavcodec/aac/aacdec_lpd.c
@ -62,7 +62,7 @@ static void parse_qn(GetBitContext *gb, int *qn, int nk_mode, int no_qn)
 {
    if (nk_mode == 1) {
        for (int k = 0; k < no_qn; k++) {
-            qn[k] = get_unary(gb, 0, INT32_MAX); // TODO: find proper ranges
+            qn[k] = get_unary(gb, 0, 68); // TODO: find proper ranges
            if (qn[k])
                qn[k]++;
        }
@ -75,7 +75,7 @@ static void parse_qn(GetBitContext *gb, int *qn, int nk_mode, int no_qn)
    if (nk_mode == 2) {
        for (int k = 0; k < no_qn; k++) {
            if (qn[k] > 4) {
-                qn[k] = get_unary(gb, 0, INT32_MAX);;
+                qn[k] = get_unary(gb, 0, 65);
                if (qn[k])
                    qn[k] += 4;
            }
@ -85,7 +85,7 @@ static void parse_qn(GetBitContext *gb, int *qn, int nk_mode, int no_qn)

    for (int k = 0; k < no_qn; k++) {
        if (qn[k] > 4) {
-            int qn_ext = get_unary(gb, 0, INT32_MAX);;
+            int qn_ext = get_unary(gb, 0, 65);
            switch (qn_ext) {
            case 0: qn[k] = 5; break;
            case 1: qn[k] = 6; break;
@ -114,6 +114,9 @@ static int parse_codebook_idx(GetBitContext *gb, uint32_t *kv,
        }
    }

+    if (nk > 25)
+        return AVERROR_PATCHWELCOME;
+
    skip_bits(gb, 4*n);

    if (nk > 0)