Mercurial > libavcodec.hg

diff aac.c @ 11281:11fb96e94573 libavcodec

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
aac: Keep decode_band_types() from eating all padding at the end of a buffer. Due to a shortcoming in the AAC specification, if an all zero buffer is fed to section data decoding it will never terminate. That means without a buffer exhaustion check decode_band_types() will consume all input buffer padding. Worse if a get_bits() implementation that returns zeros when padding is exhausted is used, the function will never terminate. The fixes that by added a buffer exhaustion check in the sectioning decoding loop.
author alexc
date Wed, 24 Feb 2010 23:56:52 +0000
parents f5d50932acc0
children a1376a6f9af1
line wrap: on
line diff
--- a/aac.c	Wed Feb 24 22:13:20 2010 +0000
+++ b/aac.c	Wed Feb 24 23:56:52 2010 +0000
@@ -715,6 +715,10 @@
             while ((sect_len_incr = get_bits(gb, bits)) == (1 << bits) - 1)
                 sect_end += sect_len_incr;
             sect_end += sect_len_incr;
+            if (get_bits_left(gb) < 0) {
+                av_log(ac->avccontext, AV_LOG_ERROR, overread_err);
+                return -1;
+            }
             if (sect_end > ics->max_sfb) {
                 av_log(ac->avccontext, AV_LOG_ERROR,
                        "Number of bands (%d) exceeds limit (%d).\n",