From aac0eda40754c010ab5156dcd5d0d1554937e9a7 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Tue, 16 Sep 2008 15:59:43 +0000 Subject: [PATCH] Validate pulse position and error out if an invalid position is encountered. Patch by Alex Converse (alex converse gmail com) Originally committed as revision 15340 to svn://svn.ffmpeg.org/ffmpeg/trunk --- libavcodec/aac.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/libavcodec/aac.c b/libavcodec/aac.c index 87005ab8e9..12037e0339 100644 --- a/libavcodec/aac.c +++ b/libavcodec/aac.c @@ -594,16 +594,24 @@ static int decode_scalefactors(AACContext * ac, float sf[120], GetBitContext * g /** * Decode pulse data; reference: table 4.7. */ -static void decode_pulses(Pulse * pulse, GetBitContext * gb, const uint16_t * swb_offset) { - int i; +static int decode_pulses(Pulse * pulse, GetBitContext * gb, const uint16_t * swb_offset, int num_swb) { + int i, pulse_swb; pulse->num_pulse = get_bits(gb, 2) + 1; - pulse->pos[0] = swb_offset[get_bits(gb, 6)]; + pulse_swb = get_bits(gb, 6); + if (pulse_swb >= num_swb) + return -1; + pulse->pos[0] = swb_offset[pulse_swb]; pulse->pos[0] += get_bits(gb, 5); + if (pulse->pos[0] > 1023) + return -1; pulse->amp[0] = get_bits(gb, 4); for (i = 1; i < pulse->num_pulse; i++) { pulse->pos[i] = get_bits(gb, 5) + pulse->pos[i-1]; + if (pulse->pos[i] > 1023) + return -1; pulse->amp[i] = get_bits(gb, 4); } + return 0; } /** @@ -811,7 +819,10 @@ static int decode_ics(AACContext * ac, SingleChannelElement * sce, GetBitContext av_log(ac->avccontext, AV_LOG_ERROR, "Pulse tool not allowed in eight short sequence.\n"); return -1; } - decode_pulses(&pulse, gb, ics->swb_offset); + if (decode_pulses(&pulse, gb, ics->swb_offset, ics->num_swb)) { + av_log(ac->avccontext, AV_LOG_ERROR, "Pulse data corrupt or invalid.\n"); + return -1; + } } if ((tns->present = get_bits1(gb)) && decode_tns(ac, tns, gb, ics)) return -1;