virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-08-15 14:13:16 +02:00
Code Issues Releases Activity

aacdec: add decode_channel_map overread check

Browse Source 
All decode_channel_map calls together can easily read
more data than the amount of padding available.
Thus below patch adds an input length check before reading them.
Fixes some invalid reads with sample from
http://bugzilla.mplayerhq.hu/show_bug.cgi?id=1138
This commit is contained in:
Reimar Döffinger
2011-05-07 17:49:42 +02:00
parent 5631729c3d
commit 6fd00e9dd9
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
libavcodec/aacdec.c
View File

@@ -315,6 +315,10 @@ static int decode_pce(AVCodecContext *avctx, MPEG4AudioConfig *m4ac,
if (get_bits1(gb))
skip_bits(gb, 3); // mixdown_coeff_index and pseudo_surround
if (get_bits_left(gb) < 4 * (num_front + num_side + num_back + num_lfe + num_assoc_data + num_cc)) {
av_log(avctx, AV_LOG_ERROR, overread_err);
return -1;
}
decode_channel_map(new_che_pos[TYPE_CPE], new_che_pos[TYPE_SCE], AAC_CHANNEL_FRONT, gb, num_front);
decode_channel_map(new_che_pos[TYPE_CPE], new_che_pos[TYPE_SCE], AAC_CHANNEL_SIDE, gb, num_side );
decode_channel_map(new_che_pos[TYPE_CPE], new_che_pos[TYPE_SCE], AAC_CHANNEL_BACK, gb, num_back );