Mercurial > libavcodec.hg

diff aac.c @ 7871:8277c41b7160 libavcodec

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Validate pulse position and error out if an invalid position is encountered. Patch by Alex Converse (alex converse gmail com)
author superdump
date Tue, 16 Sep 2008 15:59:43 +0000
parents f75806078d46
children fdd3e68dcf94
line wrap: on
line diff
--- a/aac.c	Tue Sep 16 01:49:32 2008 +0000
+++ b/aac.c	Tue Sep 16 15:59:43 2008 +0000
@@ -594,16 +594,24 @@
 /**
  * Decode pulse data; reference: table 4.7.
  */
-static void decode_pulses(Pulse * pulse, GetBitContext * gb, const uint16_t * swb_offset) {
-    int i;
+static int decode_pulses(Pulse * pulse, GetBitContext * gb, const uint16_t * swb_offset, int num_swb) {
+    int i, pulse_swb;
     pulse->num_pulse = get_bits(gb, 2) + 1;
-    pulse->pos[0]    = swb_offset[get_bits(gb, 6)];
+    pulse_swb        = get_bits(gb, 6);
+    if (pulse_swb >= num_swb)
+        return -1;
+    pulse->pos[0]    = swb_offset[pulse_swb];
     pulse->pos[0]   += get_bits(gb, 5);
+    if (pulse->pos[0] > 1023)
+        return -1;
     pulse->amp[0]    = get_bits(gb, 4);
     for (i = 1; i < pulse->num_pulse; i++) {
         pulse->pos[i] = get_bits(gb, 5) + pulse->pos[i-1];
+        if (pulse->pos[i] > 1023)
+            return -1;
         pulse->amp[i] = get_bits(gb, 4);
     }
+    return 0;
 }
 
 /**
@@ -811,7 +819,10 @@
                 av_log(ac->avccontext, AV_LOG_ERROR, "Pulse tool not allowed in eight short sequence.\n");
                 return -1;
             }
-            decode_pulses(&pulse, gb, ics->swb_offset);
+            if (decode_pulses(&pulse, gb, ics->swb_offset, ics->num_swb)) {
+                av_log(ac->avccontext, AV_LOG_ERROR, "Pulse data corrupt or invalid.\n");
+                return -1;
+            }
         }
         if ((tns->present = get_bits1(gb)) && decode_tns(ac, tns, gb, ics))
             return -1;