aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin Storsjo <martin@martin.st>2021-01-14 15:36:03 +0200
committerMartin Storsjo <martin@martin.st>2021-01-14 15:36:03 +0200
commitd75500444a76f6aef8a8ff35620118de84cce65f (patch)
tree158623590e0b5a61c29121394477c2cea676b64a
parentd284d42e71b125d9908ae2d6042d17ee09597ecb (diff)
downloadfdk-aac-d75500444a76f6aef8a8ff35620118de84cce65f.tar.gz
fdk-aac-d75500444a76f6aef8a8ff35620118de84cce65f.tar.bz2
fdk-aac-d75500444a76f6aef8a8ff35620118de84cce65f.zip
Don't use enums for values read directly from the bitstream
The enums don't cover all possible values read from the bitstream. This fixes undefined behaviour sanitizer errors. Fixes: 27647/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBFDK_AAC_fuzzer-5654559200116736 Fixes: 28193/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBFDK_AAC_fuzzer-4901213455515648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
-rw-r--r--libMpegTPDec/src/tpdec_asc.cpp9
1 files changed, 4 insertions, 5 deletions
diff --git a/libMpegTPDec/src/tpdec_asc.cpp b/libMpegTPDec/src/tpdec_asc.cpp
index 82f840e..bb4094b 100644
--- a/libMpegTPDec/src/tpdec_asc.cpp
+++ b/libMpegTPDec/src/tpdec_asc.cpp
@@ -1549,8 +1549,7 @@ static TRANSPORTDEC_ERROR extElementConfig(CSUsacExtElementConfig *extElement,
const AUDIO_OBJECT_TYPE aot) {
TRANSPORTDEC_ERROR ErrorStatus = TRANSPORTDEC_OK;
- USAC_EXT_ELEMENT_TYPE usacExtElementType =
- (USAC_EXT_ELEMENT_TYPE)escapedValue(hBs, 4, 8, 16);
+ int usacExtElementType = escapedValue(hBs, 4, 8, 16);
/* recurve extension elements which are invalid for USAC */
if (aot == AOT_USAC) {
@@ -1567,7 +1566,7 @@ static TRANSPORTDEC_ERROR extElementConfig(CSUsacExtElementConfig *extElement,
}
}
- extElement->usacExtElementType = usacExtElementType;
+ extElement->usacExtElementType = (USAC_EXT_ELEMENT_TYPE)usacExtElementType;
int usacExtElementConfigLength = escapedValue(hBs, 4, 8, 16);
extElement->usacExtElementConfigLength = (USHORT)usacExtElementConfigLength;
INT bsAnchor;
@@ -1631,14 +1630,14 @@ static TRANSPORTDEC_ERROR configExtension(CSUsacConfig *usc,
TRANSPORTDEC_ERROR ErrorStatus = TRANSPORTDEC_OK;
int numConfigExtensions;
- CONFIG_EXT_ID usacConfigExtType;
+ int usacConfigExtType;
int usacConfigExtLength;
numConfigExtensions = (int)escapedValue(hBs, 2, 4, 8) + 1;
for (int confExtIdx = 0; confExtIdx < numConfigExtensions; confExtIdx++) {
INT nbits;
int loudnessInfoSetConfigExtensionPosition = FDKgetValidBits(hBs);
- usacConfigExtType = (CONFIG_EXT_ID)escapedValue(hBs, 4, 8, 16);
+ usacConfigExtType = escapedValue(hBs, 4, 8, 16);
usacConfigExtLength = (int)escapedValue(hBs, 4, 8, 16);
/* Start bit position of config extension */