diff options
author | Martin Storsjo <martin@martin.st> | 2017-11-20 12:35:32 +0200 |
---|---|---|
committer | Martin Storsjo <martin@martin.st> | 2017-11-20 12:36:46 +0200 |
commit | 56c717e223a161b11f523de97dae51c5cccd6b52 (patch) | |
tree | 4d92bac23b3f124580ad1e5163fb630007fe51e0 | |
parent | 1e3515e03e2dbdbd48dacc31ef75d25c201a4c51 (diff) | |
download | fdk-aac-56c717e223a161b11f523de97dae51c5cccd6b52.tar.gz fdk-aac-56c717e223a161b11f523de97dae51c5cccd6b52.tar.bz2 fdk-aac-56c717e223a161b11f523de97dae51c5cccd6b52.zip |
Avoid reading out of bounds due to too large aaIidIndexMapped
Fixes: 4151/clusterfuzz-testcase-4854089193095168
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
-rw-r--r-- | libSBRdec/src/psdec.cpp | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/libSBRdec/src/psdec.cpp b/libSBRdec/src/psdec.cpp index 88a79a4..1729f90 100644 --- a/libSBRdec/src/psdec.cpp +++ b/libSBRdec/src/psdec.cpp @@ -938,7 +938,7 @@ void initSlotBasedRotation( HANDLE_PS_DEC h_ps_d, /*!< pointer to the module sta INT group = 0; INT bin = 0; - INT noIidSteps; + INT noIidSteps, noFactors; /* const UCHAR *pQuantizedIIDs;*/ @@ -984,6 +984,7 @@ void initSlotBasedRotation( HANDLE_PS_DEC h_ps_d, /*!< pointer to the module sta { PScaleFactors = ScaleFactorsFine; /* values are shiftet right by one */ noIidSteps = NO_IID_STEPS_FINE; + noFactors = NO_IID_LEVELS_FINE; /*pQuantizedIIDs = quantizedIIDsFine;*/ } @@ -991,6 +992,7 @@ void initSlotBasedRotation( HANDLE_PS_DEC h_ps_d, /*!< pointer to the module sta { PScaleFactors = ScaleFactors; /* values are shiftet right by one */ noIidSteps = NO_IID_STEPS; + noFactors = NO_IID_LEVELS; /*pQuantizedIIDs = quantizedIIDs;*/ } @@ -1012,8 +1014,11 @@ void initSlotBasedRotation( HANDLE_PS_DEC h_ps_d, /*!< pointer to the module sta /* ScaleR and ScaleL are scaled by 1 shift right */ - ScaleR = PScaleFactors[noIidSteps + h_ps_d->specificTo.mpeg.coef.aaIidIndexMapped[env][bin]]; - ScaleL = PScaleFactors[noIidSteps - h_ps_d->specificTo.mpeg.coef.aaIidIndexMapped[env][bin]]; + ScaleL = ScaleR = 0; + if (noIidSteps + h_ps_d->specificTo.mpeg.coef.aaIidIndexMapped[env][bin] >= 0 && noIidSteps + h_ps_d->specificTo.mpeg.coef.aaIidIndexMapped[env][bin] < noFactors) + ScaleR = PScaleFactors[noIidSteps + h_ps_d->specificTo.mpeg.coef.aaIidIndexMapped[env][bin]]; + if (noIidSteps - h_ps_d->specificTo.mpeg.coef.aaIidIndexMapped[env][bin] >= 0 && noIidSteps - h_ps_d->specificTo.mpeg.coef.aaIidIndexMapped[env][bin] < noFactors) + ScaleL = PScaleFactors[noIidSteps - h_ps_d->specificTo.mpeg.coef.aaIidIndexMapped[env][bin]]; AlphasValue = 0; if (h_ps_d->specificTo.mpeg.coef.aaIccIndexMapped[env][bin] >= 0) |