diff options
author | Martin Storsjo <martin@martin.st> | 2017-11-20 12:35:32 +0200 |
---|---|---|
committer | Martin Storsjo <martin@martin.st> | 2018-10-16 09:38:33 +0300 |
commit | 28fdc28ec436ceafb11ceb6a354e9916c5265981 (patch) | |
tree | 80fc3519d8ac64b8fef4ab4de346634fbcbf3dae | |
parent | e6bb25613016ecd64ccbcb354768b4794ffd6351 (diff) | |
download | fdk-aac-28fdc28ec436ceafb11ceb6a354e9916c5265981.tar.gz fdk-aac-28fdc28ec436ceafb11ceb6a354e9916c5265981.tar.bz2 fdk-aac-28fdc28ec436ceafb11ceb6a354e9916c5265981.zip |
Reapply: Avoid reading out of bounds due to too large aaIidIndexMapped
Fixes: 10726/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBFDK_AAC_fuzzer-5167035365982208
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
-rw-r--r-- | libSBRdec/src/psdec.cpp | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/libSBRdec/src/psdec.cpp b/libSBRdec/src/psdec.cpp index 1f8bd25..b31b310 100644 --- a/libSBRdec/src/psdec.cpp +++ b/libSBRdec/src/psdec.cpp @@ -325,7 +325,7 @@ void initSlotBasedRotation( int env, int usb) { INT group = 0; INT bin = 0; - INT noIidSteps; + INT noIidSteps, noFactors; FIXP_SGL invL; FIXP_DBL ScaleL, ScaleR; @@ -337,9 +337,11 @@ void initSlotBasedRotation( if (h_ps_d->bsData[h_ps_d->processSlot].mpeg.bFineIidQ) { PScaleFactors = ScaleFactorsFine; /* values are shiftet right by one */ noIidSteps = NO_IID_STEPS_FINE; + noFactors = NO_IID_LEVELS_FINE; } else { PScaleFactors = ScaleFactors; /* values are shiftet right by one */ noIidSteps = NO_IID_STEPS; + noFactors = NO_IID_LEVELS; } /* dequantize and decode */ @@ -358,10 +360,13 @@ void initSlotBasedRotation( /* ScaleR and ScaleL are scaled by 1 shift right */ - ScaleR = PScaleFactors[noIidSteps + h_ps_d->specificTo.mpeg.pCoef - ->aaIidIndexMapped[env][bin]]; - ScaleL = PScaleFactors[noIidSteps - h_ps_d->specificTo.mpeg.pCoef - ->aaIidIndexMapped[env][bin]]; + ScaleL = ScaleR = 0; + if (noIidSteps + h_ps_d->specificTo.mpeg.pCoef->aaIidIndexMapped[env][bin] >= 0 && noIidSteps + h_ps_d->specificTo.mpeg.pCoef->aaIidIndexMapped[env][bin] < noFactors) + ScaleR = PScaleFactors[noIidSteps + h_ps_d->specificTo.mpeg.pCoef + ->aaIidIndexMapped[env][bin]]; + if (noIidSteps - h_ps_d->specificTo.mpeg.pCoef->aaIidIndexMapped[env][bin] >= 0 && noIidSteps - h_ps_d->specificTo.mpeg.pCoef->aaIidIndexMapped[env][bin] < noFactors) + ScaleL = PScaleFactors[noIidSteps - h_ps_d->specificTo.mpeg.pCoef + ->aaIidIndexMapped[env][bin]]; AlphasValue = 0; if (h_ps_d->specificTo.mpeg.pCoef->aaIccIndexMapped[env][bin] >= 0) |