virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-08-15 14:13:16 +02:00
Code Issues Releases Activity

aacdec: reset max_sfb on invalid data.

Browse Source 
Fixes global out of array read.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer
2012-03-22 23:57:45 +01:00
parent 3583c8706d
commit 5a4af049b1
1 changed files with 6 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
libavcodec/aacdec.c
View File

@@ -961,11 +961,11 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics,
if (ics->predictor_present) { if (ics->predictor_present) {
if (ac->m4ac.object_type == AOT_AAC_MAIN) { if (ac->m4ac.object_type == AOT_AAC_MAIN) {
if (decode_prediction(ac, ics, gb)) { if (decode_prediction(ac, ics, gb)) {
return AVERROR_INVALIDDATA; goto fail;
} }
} else if (ac->m4ac.object_type == AOT_AAC_LC) { } else if (ac->m4ac.object_type == AOT_AAC_LC) {
av_log(ac->avctx, AV_LOG_ERROR, "Prediction is not allowed in AAC-LC.\n"); av_log(ac->avctx, AV_LOG_ERROR, "Prediction is not allowed in AAC-LC.\n");
return AVERROR_INVALIDDATA; goto fail;
} else { } else {
if ((ics->ltp.present = get_bits(gb, 1))) if ((ics->ltp.present = get_bits(gb, 1)))
decode_ltp(ac, &ics->ltp, gb, ics->max_sfb); decode_ltp(ac, &ics->ltp, gb, ics->max_sfb);
@@ -977,10 +977,13 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics,
av_log(ac->avctx, AV_LOG_ERROR, av_log(ac->avctx, AV_LOG_ERROR,
"Number of scalefactor bands in group (%d) exceeds limit (%d).\n", "Number of scalefactor bands in group (%d) exceeds limit (%d).\n",
ics->max_sfb, ics->num_swb); ics->max_sfb, ics->num_swb);
return AVERROR_INVALIDDATA; goto fail;
} }
return 0; return 0;
fail:
ics->max_sfb = 0;
return AVERROR_INVALIDDATA;
} }
/** /**