From d877b88f5188fa3d71525c8d4d404daa4798e9fb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Nov 2015 13:00:27 +0100 Subject: [PATCH] avcodec/aacsbr_template: Check values read in read_sbr_noise() Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_template.c | 36 ++++++++++++++++++++++++++++-------- 1 file changed, 28 insertions(+), 8 deletions(-) diff --git a/libavcodec/aacsbr_template.c b/libavcodec/aacsbr_template.c index 906823ab72..7772b68a97 100644 --- a/libavcodec/aacsbr_template.c +++ b/libavcodec/aacsbr_template.c @@ -886,7 +886,7 @@ static void read_sbr_envelope(SpectralBandReplication *sbr, GetBitContext *gb, sizeof(ch_data->env_facs[0])); } -static void read_sbr_noise(SpectralBandReplication *sbr, GetBitContext *gb, +static int read_sbr_noise(AACContext *ac, SpectralBandReplication *sbr, GetBitContext *gb, SBRData *ch_data, int ch) { int i, j; @@ -908,18 +908,29 @@ static void read_sbr_noise(SpectralBandReplication *sbr, GetBitContext *gb, for (i = 0; i < ch_data->bs_num_noise; i++) { if (ch_data->bs_df_noise[i]) { - for (j = 0; j < sbr->n_q; j++) + for (j = 0; j < sbr->n_q; j++) { ch_data->noise_facs_q[i + 1][j] = ch_data->noise_facs_q[i][j] + delta * (get_vlc2(gb, t_huff, 9, 2) - t_lav); + if (ch_data->noise_facs_q[i + 1][j] > 30U) { + av_log(ac->avctx, AV_LOG_ERROR, "noise_facs_q %d is invalid\n", ch_data->noise_facs_q[i + 1][j]); + return AVERROR_INVALIDDATA; + } + } } else { ch_data->noise_facs_q[i + 1][0] = delta * get_bits(gb, 5); // bs_noise_start_value_balance or bs_noise_start_value_level - for (j = 1; j < sbr->n_q; j++) + for (j = 1; j < sbr->n_q; j++) { ch_data->noise_facs_q[i + 1][j] = ch_data->noise_facs_q[i + 1][j - 1] + delta * (get_vlc2(gb, f_huff, 9, 3) - f_lav); + if (ch_data->noise_facs_q[i + 1][j] > 30U) { + av_log(ac->avctx, AV_LOG_ERROR, "noise_facs_q %d is invalid\n", ch_data->noise_facs_q[i + 1][j]); + return AVERROR_INVALIDDATA; + } + } } } //assign 0th elements of noise_facs_q from last elements memcpy(ch_data->noise_facs_q[0], ch_data->noise_facs_q[ch_data->bs_num_noise], sizeof(ch_data->noise_facs_q[0])); + return 0; } static void read_sbr_extension(AACContext *ac, SpectralBandReplication *sbr, @@ -957,6 +968,8 @@ static int read_sbr_single_channel_element(AACContext *ac, SpectralBandReplication *sbr, GetBitContext *gb) { + int ret; + if (get_bits1(gb)) // bs_data_extra skip_bits(gb, 4); // bs_reserved @@ -965,7 +978,8 @@ static int read_sbr_single_channel_element(AACContext *ac, read_sbr_dtdf(sbr, gb, &sbr->data[0]); read_sbr_invf(sbr, gb, &sbr->data[0]); read_sbr_envelope(sbr, gb, &sbr->data[0], 0); - read_sbr_noise(sbr, gb, &sbr->data[0], 0); + if((ret = read_sbr_noise(ac, sbr, gb, &sbr->data[0], 0)) < 0) + return ret; if ((sbr->data[0].bs_add_harmonic_flag = get_bits1(gb))) get_bits1_vector(gb, sbr->data[0].bs_add_harmonic, sbr->n[1]); @@ -977,6 +991,8 @@ static int read_sbr_channel_pair_element(AACContext *ac, SpectralBandReplication *sbr, GetBitContext *gb) { + int ret; + if (get_bits1(gb)) // bs_data_extra skip_bits(gb, 8); // bs_reserved @@ -990,9 +1006,11 @@ static int read_sbr_channel_pair_element(AACContext *ac, memcpy(sbr->data[1].bs_invf_mode[1], sbr->data[1].bs_invf_mode[0], sizeof(sbr->data[1].bs_invf_mode[0])); memcpy(sbr->data[1].bs_invf_mode[0], sbr->data[0].bs_invf_mode[0], sizeof(sbr->data[1].bs_invf_mode[0])); read_sbr_envelope(sbr, gb, &sbr->data[0], 0); - read_sbr_noise(sbr, gb, &sbr->data[0], 0); + if((ret = read_sbr_noise(ac, sbr, gb, &sbr->data[0], 0)) < 0) + return ret; read_sbr_envelope(sbr, gb, &sbr->data[1], 1); - read_sbr_noise(sbr, gb, &sbr->data[1], 1); + if((ret = read_sbr_noise(ac, sbr, gb, &sbr->data[1], 1)) < 0) + return ret; } else { if (read_sbr_grid(ac, sbr, gb, &sbr->data[0]) || read_sbr_grid(ac, sbr, gb, &sbr->data[1])) @@ -1003,8 +1021,10 @@ static int read_sbr_channel_pair_element(AACContext *ac, read_sbr_invf(sbr, gb, &sbr->data[1]); read_sbr_envelope(sbr, gb, &sbr->data[0], 0); read_sbr_envelope(sbr, gb, &sbr->data[1], 1); - read_sbr_noise(sbr, gb, &sbr->data[0], 0); - read_sbr_noise(sbr, gb, &sbr->data[1], 1); + if((ret = read_sbr_noise(ac, sbr, gb, &sbr->data[0], 0)) < 0) + return ret; + if((ret = read_sbr_noise(ac, sbr, gb, &sbr->data[1], 1)) < 0) + return ret; } if ((sbr->data[0].bs_add_harmonic_flag = get_bits1(gb)))