Mercurial > libavcodec.hg
comparison aac.c @ 11205:f5d50932acc0 libavcodec
Add some AAC buffer overread checks.
author | alexc |
---|---|
date | Thu, 18 Feb 2010 23:06:56 +0000 |
parents | 69020e1846fe |
children | 11fb96e94573 |
comparison
equal
deleted
inserted
replaced
11204:ba1c541f7e8a | 11205:f5d50932acc0 |
---|---|
105 static VLC vlc_scalefactors; | 105 static VLC vlc_scalefactors; |
106 static VLC vlc_spectral[11]; | 106 static VLC vlc_spectral[11]; |
107 | 107 |
108 static uint32_t cbrt_tab[1<<13]; | 108 static uint32_t cbrt_tab[1<<13]; |
109 | 109 |
110 static const char overread_err[] = "Input buffer exhausted before END element found\n"; | |
111 | |
110 static ChannelElement *get_che(AACContext *ac, int type, int elem_id) | 112 static ChannelElement *get_che(AACContext *ac, int type, int elem_id) |
111 { | 113 { |
112 if (ac->tag_che_map[type][elem_id]) { | 114 if (ac->tag_che_map[type][elem_id]) { |
113 return ac->tag_che_map[type][elem_id]; | 115 return ac->tag_che_map[type][elem_id]; |
114 } | 116 } |
276 */ | 278 */ |
277 static int decode_pce(AACContext *ac, enum ChannelPosition new_che_pos[4][MAX_ELEM_ID], | 279 static int decode_pce(AACContext *ac, enum ChannelPosition new_che_pos[4][MAX_ELEM_ID], |
278 GetBitContext *gb) | 280 GetBitContext *gb) |
279 { | 281 { |
280 int num_front, num_side, num_back, num_lfe, num_assoc_data, num_cc, sampling_index; | 282 int num_front, num_side, num_back, num_lfe, num_assoc_data, num_cc, sampling_index; |
283 int comment_len; | |
281 | 284 |
282 skip_bits(gb, 2); // object_type | 285 skip_bits(gb, 2); // object_type |
283 | 286 |
284 sampling_index = get_bits(gb, 4); | 287 sampling_index = get_bits(gb, 4); |
285 if (ac->m4ac.sampling_index != sampling_index) | 288 if (ac->m4ac.sampling_index != sampling_index) |
310 decode_channel_map(new_che_pos[TYPE_CCE], new_che_pos[TYPE_CCE], AAC_CHANNEL_CC, gb, num_cc ); | 313 decode_channel_map(new_che_pos[TYPE_CCE], new_che_pos[TYPE_CCE], AAC_CHANNEL_CC, gb, num_cc ); |
311 | 314 |
312 align_get_bits(gb); | 315 align_get_bits(gb); |
313 | 316 |
314 /* comment field, first byte is length */ | 317 /* comment field, first byte is length */ |
315 skip_bits_long(gb, 8 * get_bits(gb, 8)); | 318 comment_len = get_bits(gb, 8) * 8; |
319 if (get_bits_left(gb) < comment_len) { | |
320 av_log(ac->avccontext, AV_LOG_ERROR, overread_err); | |
321 return -1; | |
322 } | |
323 skip_bits_long(gb, comment_len); | |
316 return 0; | 324 return 0; |
317 } | 325 } |
318 | 326 |
319 /** | 327 /** |
320 * Set up channel positions based on a default channel configuration | 328 * Set up channel positions based on a default channel configuration |
572 } | 580 } |
573 | 581 |
574 /** | 582 /** |
575 * Skip data_stream_element; reference: table 4.10. | 583 * Skip data_stream_element; reference: table 4.10. |
576 */ | 584 */ |
577 static void skip_data_stream_element(GetBitContext *gb) | 585 static int skip_data_stream_element(AACContext *ac, GetBitContext *gb) |
578 { | 586 { |
579 int byte_align = get_bits1(gb); | 587 int byte_align = get_bits1(gb); |
580 int count = get_bits(gb, 8); | 588 int count = get_bits(gb, 8); |
581 if (count == 255) | 589 if (count == 255) |
582 count += get_bits(gb, 8); | 590 count += get_bits(gb, 8); |
583 if (byte_align) | 591 if (byte_align) |
584 align_get_bits(gb); | 592 align_get_bits(gb); |
593 | |
594 if (get_bits_left(gb) < 8 * count) { | |
595 av_log(ac->avccontext, AV_LOG_ERROR, overread_err); | |
596 return -1; | |
597 } | |
585 skip_bits_long(gb, 8 * count); | 598 skip_bits_long(gb, 8 * count); |
599 return 0; | |
586 } | 600 } |
587 | 601 |
588 static int decode_prediction(AACContext *ac, IndividualChannelStream *ics, | 602 static int decode_prediction(AACContext *ac, IndividualChannelStream *ics, |
589 GetBitContext *gb) | 603 GetBitContext *gb) |
590 { | 604 { |
1970 case TYPE_LFE: | 1984 case TYPE_LFE: |
1971 err = decode_ics(ac, &che->ch[0], &gb, 0, 0); | 1985 err = decode_ics(ac, &che->ch[0], &gb, 0, 0); |
1972 break; | 1986 break; |
1973 | 1987 |
1974 case TYPE_DSE: | 1988 case TYPE_DSE: |
1975 skip_data_stream_element(&gb); | 1989 err = skip_data_stream_element(ac, &gb); |
1976 err = 0; | |
1977 break; | 1990 break; |
1978 | 1991 |
1979 case TYPE_PCE: { | 1992 case TYPE_PCE: { |
1980 enum ChannelPosition new_che_pos[4][MAX_ELEM_ID]; | 1993 enum ChannelPosition new_che_pos[4][MAX_ELEM_ID]; |
1981 memset(new_che_pos, 0, 4 * MAX_ELEM_ID * sizeof(new_che_pos[0][0])); | 1994 memset(new_che_pos, 0, 4 * MAX_ELEM_ID * sizeof(new_che_pos[0][0])); |
1990 } | 2003 } |
1991 | 2004 |
1992 case TYPE_FIL: | 2005 case TYPE_FIL: |
1993 if (elem_id == 15) | 2006 if (elem_id == 15) |
1994 elem_id += get_bits(&gb, 8) - 1; | 2007 elem_id += get_bits(&gb, 8) - 1; |
2008 if (get_bits_left(&gb) < 8 * elem_id) { | |
2009 av_log(avccontext, AV_LOG_ERROR, overread_err); | |
2010 return -1; | |
2011 } | |
1995 while (elem_id > 0) | 2012 while (elem_id > 0) |
1996 elem_id -= decode_extension_payload(ac, &gb, elem_id); | 2013 elem_id -= decode_extension_payload(ac, &gb, elem_id); |
1997 err = 0; /* FIXME */ | 2014 err = 0; /* FIXME */ |
1998 break; | 2015 break; |
1999 | 2016 |
2002 break; | 2019 break; |
2003 } | 2020 } |
2004 | 2021 |
2005 if (err) | 2022 if (err) |
2006 return err; | 2023 return err; |
2024 | |
2025 if (get_bits_left(&gb) < 3) { | |
2026 av_log(avccontext, AV_LOG_ERROR, overread_err); | |
2027 return -1; | |
2028 } | |
2007 } | 2029 } |
2008 | 2030 |
2009 spectral_to_sample(ac); | 2031 spectral_to_sample(ac); |
2010 | 2032 |
2011 data_size_tmp = 1024 * avccontext->channels * sizeof(int16_t); | 2033 data_size_tmp = 1024 * avccontext->channels * sizeof(int16_t); |