aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin Storsjo <martin@martin.st>2017-11-20 12:35:32 +0200
committerMartin Storsjo <martin@martin.st>2018-10-16 09:38:33 +0300
commit28fdc28ec436ceafb11ceb6a354e9916c5265981 (patch)
tree80fc3519d8ac64b8fef4ab4de346634fbcbf3dae
parente6bb25613016ecd64ccbcb354768b4794ffd6351 (diff)
downloadfdk-aac-28fdc28ec436ceafb11ceb6a354e9916c5265981.tar.gz
fdk-aac-28fdc28ec436ceafb11ceb6a354e9916c5265981.tar.bz2
fdk-aac-28fdc28ec436ceafb11ceb6a354e9916c5265981.zip
Reapply: Avoid reading out of bounds due to too large aaIidIndexMapped
Fixes: 10726/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBFDK_AAC_fuzzer-5167035365982208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
-rw-r--r--libSBRdec/src/psdec.cpp15
1 files changed, 10 insertions, 5 deletions
diff --git a/libSBRdec/src/psdec.cpp b/libSBRdec/src/psdec.cpp
index 1f8bd25..b31b310 100644
--- a/libSBRdec/src/psdec.cpp
+++ b/libSBRdec/src/psdec.cpp
@@ -325,7 +325,7 @@ void initSlotBasedRotation(
int env, int usb) {
INT group = 0;
INT bin = 0;
- INT noIidSteps;
+ INT noIidSteps, noFactors;
FIXP_SGL invL;
FIXP_DBL ScaleL, ScaleR;
@@ -337,9 +337,11 @@ void initSlotBasedRotation(
if (h_ps_d->bsData[h_ps_d->processSlot].mpeg.bFineIidQ) {
PScaleFactors = ScaleFactorsFine; /* values are shiftet right by one */
noIidSteps = NO_IID_STEPS_FINE;
+ noFactors = NO_IID_LEVELS_FINE;
} else {
PScaleFactors = ScaleFactors; /* values are shiftet right by one */
noIidSteps = NO_IID_STEPS;
+ noFactors = NO_IID_LEVELS;
}
/* dequantize and decode */
@@ -358,10 +360,13 @@ void initSlotBasedRotation(
/* ScaleR and ScaleL are scaled by 1 shift right */
- ScaleR = PScaleFactors[noIidSteps + h_ps_d->specificTo.mpeg.pCoef
- ->aaIidIndexMapped[env][bin]];
- ScaleL = PScaleFactors[noIidSteps - h_ps_d->specificTo.mpeg.pCoef
- ->aaIidIndexMapped[env][bin]];
+ ScaleL = ScaleR = 0;
+ if (noIidSteps + h_ps_d->specificTo.mpeg.pCoef->aaIidIndexMapped[env][bin] >= 0 && noIidSteps + h_ps_d->specificTo.mpeg.pCoef->aaIidIndexMapped[env][bin] < noFactors)
+ ScaleR = PScaleFactors[noIidSteps + h_ps_d->specificTo.mpeg.pCoef
+ ->aaIidIndexMapped[env][bin]];
+ if (noIidSteps - h_ps_d->specificTo.mpeg.pCoef->aaIidIndexMapped[env][bin] >= 0 && noIidSteps - h_ps_d->specificTo.mpeg.pCoef->aaIidIndexMapped[env][bin] < noFactors)
+ ScaleL = PScaleFactors[noIidSteps - h_ps_d->specificTo.mpeg.pCoef
+ ->aaIidIndexMapped[env][bin]];
AlphasValue = 0;
if (h_ps_d->specificTo.mpeg.pCoef->aaIccIndexMapped[env][bin] >= 0)