Mercurial > libavcodec.hg
comparison aac.c @ 11205:f5d50932acc0 libavcodec
Add some AAC buffer overread checks.
| author | alexc |
|---|---|
| date | Thu, 18 Feb 2010 23:06:56 +0000 |
| parents | 69020e1846fe |
| children | 11fb96e94573 |
comparison
equal
deleted
inserted
replaced
| 11204:ba1c541f7e8a | 11205:f5d50932acc0 |
|---|---|
| 105 static VLC vlc_scalefactors; | 105 static VLC vlc_scalefactors; |
| 106 static VLC vlc_spectral[11]; | 106 static VLC vlc_spectral[11]; |
| 107 | 107 |
| 108 static uint32_t cbrt_tab[1<<13]; | 108 static uint32_t cbrt_tab[1<<13]; |
| 109 | 109 |
| 110 static const char overread_err[] = "Input buffer exhausted before END element found\n"; | |
| 111 | |
| 110 static ChannelElement *get_che(AACContext *ac, int type, int elem_id) | 112 static ChannelElement *get_che(AACContext *ac, int type, int elem_id) |
| 111 { | 113 { |
| 112 if (ac->tag_che_map[type][elem_id]) { | 114 if (ac->tag_che_map[type][elem_id]) { |
| 113 return ac->tag_che_map[type][elem_id]; | 115 return ac->tag_che_map[type][elem_id]; |
| 114 } | 116 } |
| 276 */ | 278 */ |
| 277 static int decode_pce(AACContext *ac, enum ChannelPosition new_che_pos[4][MAX_ELEM_ID], | 279 static int decode_pce(AACContext *ac, enum ChannelPosition new_che_pos[4][MAX_ELEM_ID], |
| 278 GetBitContext *gb) | 280 GetBitContext *gb) |
| 279 { | 281 { |
| 280 int num_front, num_side, num_back, num_lfe, num_assoc_data, num_cc, sampling_index; | 282 int num_front, num_side, num_back, num_lfe, num_assoc_data, num_cc, sampling_index; |
| 283 int comment_len; | |
| 281 | 284 |
| 282 skip_bits(gb, 2); // object_type | 285 skip_bits(gb, 2); // object_type |
| 283 | 286 |
| 284 sampling_index = get_bits(gb, 4); | 287 sampling_index = get_bits(gb, 4); |
| 285 if (ac->m4ac.sampling_index != sampling_index) | 288 if (ac->m4ac.sampling_index != sampling_index) |
| 310 decode_channel_map(new_che_pos[TYPE_CCE], new_che_pos[TYPE_CCE], AAC_CHANNEL_CC, gb, num_cc ); | 313 decode_channel_map(new_che_pos[TYPE_CCE], new_che_pos[TYPE_CCE], AAC_CHANNEL_CC, gb, num_cc ); |
| 311 | 314 |
| 312 align_get_bits(gb); | 315 align_get_bits(gb); |
| 313 | 316 |
| 314 /* comment field, first byte is length */ | 317 /* comment field, first byte is length */ |
| 315 skip_bits_long(gb, 8 * get_bits(gb, 8)); | 318 comment_len = get_bits(gb, 8) * 8; |
| 319 if (get_bits_left(gb) < comment_len) { | |
| 320 av_log(ac->avccontext, AV_LOG_ERROR, overread_err); | |
| 321 return -1; | |
| 322 } | |
| 323 skip_bits_long(gb, comment_len); | |
| 316 return 0; | 324 return 0; |
| 317 } | 325 } |
| 318 | 326 |
| 319 /** | 327 /** |
| 320 * Set up channel positions based on a default channel configuration | 328 * Set up channel positions based on a default channel configuration |
| 572 } | 580 } |
| 573 | 581 |
| 574 /** | 582 /** |
| 575 * Skip data_stream_element; reference: table 4.10. | 583 * Skip data_stream_element; reference: table 4.10. |
| 576 */ | 584 */ |
| 577 static void skip_data_stream_element(GetBitContext *gb) | 585 static int skip_data_stream_element(AACContext *ac, GetBitContext *gb) |
| 578 { | 586 { |
| 579 int byte_align = get_bits1(gb); | 587 int byte_align = get_bits1(gb); |
| 580 int count = get_bits(gb, 8); | 588 int count = get_bits(gb, 8); |
| 581 if (count == 255) | 589 if (count == 255) |
| 582 count += get_bits(gb, 8); | 590 count += get_bits(gb, 8); |
| 583 if (byte_align) | 591 if (byte_align) |
| 584 align_get_bits(gb); | 592 align_get_bits(gb); |
| 593 | |
| 594 if (get_bits_left(gb) < 8 * count) { | |
| 595 av_log(ac->avccontext, AV_LOG_ERROR, overread_err); | |
| 596 return -1; | |
| 597 } | |
| 585 skip_bits_long(gb, 8 * count); | 598 skip_bits_long(gb, 8 * count); |
| 599 return 0; | |
| 586 } | 600 } |
| 587 | 601 |
| 588 static int decode_prediction(AACContext *ac, IndividualChannelStream *ics, | 602 static int decode_prediction(AACContext *ac, IndividualChannelStream *ics, |
| 589 GetBitContext *gb) | 603 GetBitContext *gb) |
| 590 { | 604 { |
| 1970 case TYPE_LFE: | 1984 case TYPE_LFE: |
| 1971 err = decode_ics(ac, &che->ch[0], &gb, 0, 0); | 1985 err = decode_ics(ac, &che->ch[0], &gb, 0, 0); |
| 1972 break; | 1986 break; |
| 1973 | 1987 |
| 1974 case TYPE_DSE: | 1988 case TYPE_DSE: |
| 1975 skip_data_stream_element(&gb); | 1989 err = skip_data_stream_element(ac, &gb); |
| 1976 err = 0; | |
| 1977 break; | 1990 break; |
| 1978 | 1991 |
| 1979 case TYPE_PCE: { | 1992 case TYPE_PCE: { |
| 1980 enum ChannelPosition new_che_pos[4][MAX_ELEM_ID]; | 1993 enum ChannelPosition new_che_pos[4][MAX_ELEM_ID]; |
| 1981 memset(new_che_pos, 0, 4 * MAX_ELEM_ID * sizeof(new_che_pos[0][0])); | 1994 memset(new_che_pos, 0, 4 * MAX_ELEM_ID * sizeof(new_che_pos[0][0])); |
| 1990 } | 2003 } |
| 1991 | 2004 |
| 1992 case TYPE_FIL: | 2005 case TYPE_FIL: |
| 1993 if (elem_id == 15) | 2006 if (elem_id == 15) |
| 1994 elem_id += get_bits(&gb, 8) - 1; | 2007 elem_id += get_bits(&gb, 8) - 1; |
| 2008 if (get_bits_left(&gb) < 8 * elem_id) { | |
| 2009 av_log(avccontext, AV_LOG_ERROR, overread_err); | |
| 2010 return -1; | |
| 2011 } | |
| 1995 while (elem_id > 0) | 2012 while (elem_id > 0) |
| 1996 elem_id -= decode_extension_payload(ac, &gb, elem_id); | 2013 elem_id -= decode_extension_payload(ac, &gb, elem_id); |
| 1997 err = 0; /* FIXME */ | 2014 err = 0; /* FIXME */ |
| 1998 break; | 2015 break; |
| 1999 | 2016 |
| 2002 break; | 2019 break; |
| 2003 } | 2020 } |
| 2004 | 2021 |
| 2005 if (err) | 2022 if (err) |
| 2006 return err; | 2023 return err; |
| 2024 | |
| 2025 if (get_bits_left(&gb) < 3) { | |
| 2026 av_log(avccontext, AV_LOG_ERROR, overread_err); | |
| 2027 return -1; | |
| 2028 } | |
| 2007 } | 2029 } |
| 2008 | 2030 |
| 2009 spectral_to_sample(ac); | 2031 spectral_to_sample(ac); |
| 2010 | 2032 |
| 2011 data_size_tmp = 1024 * avccontext->channels * sizeof(int16_t); | 2033 data_size_tmp = 1024 * avccontext->channels * sizeof(int16_t); |