1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-24 13:56:33 +02:00

aacsbr: Fix type for index variable

Prevents unsigned overflow and variable truncation.

Bug-Id: CID 603186
This commit is contained in:
Vittorio Giovara 2015-03-11 19:25:00 +00:00
parent 7c60c124c8
commit cdce9e8025

View File

@ -628,7 +628,7 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr,
GetBitContext *gb, SBRData *ch_data)
{
int i;
unsigned bs_pointer = 0;
int bs_pointer = 0;
// frameLengthFlag ? 15 : 16; 960 sample length frames unsupported; this value is numTimeSlots
int abs_bord_trail = 16;
int num_rel_lead, num_rel_trail;
@ -721,7 +721,7 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr,
break;
}
if (bs_pointer > ch_data->bs_num_env + 1) {
if (bs_pointer < 0 || bs_pointer > ch_data->bs_num_env + 1) {
av_log(ac->avctx, AV_LOG_ERROR,
"Invalid bitstream, bs_pointer points to a middle noise border outside the time borders table: %d\n",
bs_pointer);
@ -740,7 +740,7 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr,
ch_data->t_q[0] = ch_data->t_env[0];
ch_data->t_q[ch_data->bs_num_noise] = ch_data->t_env[ch_data->bs_num_env];
if (ch_data->bs_num_noise > 1) {
unsigned int idx;
int idx;
if (ch_data->bs_frame_class == FIXFIX) {
idx = ch_data->bs_num_env >> 1;
} else if (ch_data->bs_frame_class & 1) { // FIXVAR or VARVAR