[FFmpeg-devel] [PATCH] decode_channel_map overread check
Reimar Döffinger
Reimar.Doeffinger
Sat Dec 11 16:07:00 CET 2010
Hello,
all decode_channel_map calls together can easily read more data than the padding.
So below patch adds an input length check before reading them.
Fixes some invalid reads with sample from http://bugzilla.mplayerhq.hu/show_bug.cgi?id=1138
Index: libavcodec/aacdec.c
===================================================================
--- libavcodec/aacdec.c (revision 25928)
+++ libavcodec/aacdec.c (working copy)
@@ -313,6 +313,10 @@
if (get_bits1(gb))
skip_bits(gb, 3); // mixdown_coeff_index and pseudo_surround
+ if (get_bits_left(gb) < 4 * (num_front + num_side + num_back + num_lfe + num_assoc_data + num_cc)) {
+ av_log(avctx, AV_LOG_ERROR, overread_err);
+ return -1;
+ }
decode_channel_map(new_che_pos[TYPE_CPE], new_che_pos[TYPE_SCE], AAC_CHANNEL_FRONT, gb, num_front);
decode_channel_map(new_che_pos[TYPE_CPE], new_che_pos[TYPE_SCE], AAC_CHANNEL_SIDE, gb, num_side );
decode_channel_map(new_che_pos[TYPE_CPE], new_che_pos[TYPE_SCE], AAC_CHANNEL_BACK, gb, num_back );
More information about the ffmpeg-devel
mailing list