diff options
| author | Jean-Michel Trivi <jmtrivi@google.com> | 2018-12-28 15:24:54 -0800 |
|---|---|---|
| committer | android-build-merger <android-build-merger@google.com> | 2018-12-28 15:24:54 -0800 |
| commit | 29c2ad6e2aeaad2a84f352ac1dfc60ebbc256f1e (patch) | |
| tree | 36d776a2396587efd4d70338a4c3e698300a290a | |
| parent | d00da81a1d0e6bf1e66396b782e73a234464eb7a (diff) | |
| parent | 61b5f49362a1714c04160da41d57f9b0560a8ff0 (diff) | |
| download | fdk-aac-29c2ad6e2aeaad2a84f352ac1dfc60ebbc256f1e.tar.gz fdk-aac-29c2ad6e2aeaad2a84f352ac1dfc60ebbc256f1e.tar.bz2 fdk-aac-29c2ad6e2aeaad2a84f352ac1dfc60ebbc256f1e.zip | |
Merge "Add valid bits check to adts header parser" am: b622299482 am: ffb999bec4
am: 61b5f49362
Change-Id: I2fff08ec59b1b233eeb433801740c076cd665c2f
| -rw-r--r-- | libMpegTPDec/src/tpdec_adts.cpp | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/libMpegTPDec/src/tpdec_adts.cpp b/libMpegTPDec/src/tpdec_adts.cpp index 6dc0275..1a4e3fd 100644 --- a/libMpegTPDec/src/tpdec_adts.cpp +++ b/libMpegTPDec/src/tpdec_adts.cpp @@ -180,7 +180,11 @@ TRANSPORTDEC_ERROR adtsRead_DecodeHeader(HANDLE_ADTS pAdts, have channelConfig=0 and no PCE in this frame. */ FDKmemcpy(&oldPce, &pAsc->m_progrConfigElement, sizeof(CProgramConfig)); - valBits = FDKgetValidBits(hBs); + valBits = FDKgetValidBits(hBs) + ADTS_SYNCLENGTH; + + if (valBits < ADTS_HEADERLENGTH) { + return TRANSPORTDEC_NOT_ENOUGH_BITS; + } /* adts_fixed_header */ bs.mpeg_id = FDKreadBits(hBs, Adts_Length_Id); @@ -205,6 +209,10 @@ TRANSPORTDEC_ERROR adtsRead_DecodeHeader(HANDLE_ADTS pAdts, adtsHeaderLength = ADTS_HEADERLENGTH; + if (valBits < bs.frame_length * 8) { + goto bail; + } + if (!bs.protection_absent) { FDKcrcReset(&pAdts->crcInfo); FDKpushBack(hBs, 56); /* complete fixed and variable header! */ @@ -213,6 +221,9 @@ TRANSPORTDEC_ERROR adtsRead_DecodeHeader(HANDLE_ADTS pAdts, } if (!bs.protection_absent && bs.num_raw_blocks > 0) { + if ((INT)FDKgetValidBits(hBs) < bs.num_raw_blocks * 16) { + goto bail; + } for (i = 0; i < bs.num_raw_blocks; i++) { pAdts->rawDataBlockDist[i] = (USHORT)FDKreadBits(hBs, 16); adtsHeaderLength += 16; @@ -230,6 +241,11 @@ TRANSPORTDEC_ERROR adtsRead_DecodeHeader(HANDLE_ADTS pAdts, USHORT crc_check; FDKcrcEndReg(&pAdts->crcInfo, hBs, crcReg); + + if ((INT)FDKgetValidBits(hBs) < Adts_Length_CrcCheck) { + goto bail; + } + crc_check = FDKreadBits(hBs, Adts_Length_CrcCheck); adtsHeaderLength += Adts_Length_CrcCheck; @@ -343,6 +359,10 @@ TRANSPORTDEC_ERROR adtsRead_DecodeHeader(HANDLE_ADTS pAdts, FDKmemcpy(&pAdts->bs, &bs, sizeof(STRUCT_ADTS_BS)); return TRANSPORTDEC_OK; + +bail: + FDKpushBack(hBs, adtsHeaderLength); + return TRANSPORTDEC_NOT_ENOUGH_BITS; } int adtsRead_GetRawDataBlockLength(HANDLE_ADTS pAdts, INT blockNum) { |