diff options
author | Martin Storsjo <martin@martin.st> | 2021-01-14 15:36:03 +0200 |
---|---|---|
committer | Martin Storsjo <martin@martin.st> | 2021-01-14 15:36:03 +0200 |
commit | d75500444a76f6aef8a8ff35620118de84cce65f (patch) | |
tree | 158623590e0b5a61c29121394477c2cea676b64a | |
parent | d284d42e71b125d9908ae2d6042d17ee09597ecb (diff) | |
download | fdk-aac-d75500444a76f6aef8a8ff35620118de84cce65f.tar.gz fdk-aac-d75500444a76f6aef8a8ff35620118de84cce65f.tar.bz2 fdk-aac-d75500444a76f6aef8a8ff35620118de84cce65f.zip |
Don't use enums for values read directly from the bitstream
The enums don't cover all possible values read from the bitstream.
This fixes undefined behaviour sanitizer errors.
Fixes: 27647/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBFDK_AAC_fuzzer-5654559200116736
Fixes: 28193/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBFDK_AAC_fuzzer-4901213455515648
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
-rw-r--r-- | libMpegTPDec/src/tpdec_asc.cpp | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/libMpegTPDec/src/tpdec_asc.cpp b/libMpegTPDec/src/tpdec_asc.cpp index 82f840e..bb4094b 100644 --- a/libMpegTPDec/src/tpdec_asc.cpp +++ b/libMpegTPDec/src/tpdec_asc.cpp @@ -1549,8 +1549,7 @@ static TRANSPORTDEC_ERROR extElementConfig(CSUsacExtElementConfig *extElement, const AUDIO_OBJECT_TYPE aot) { TRANSPORTDEC_ERROR ErrorStatus = TRANSPORTDEC_OK; - USAC_EXT_ELEMENT_TYPE usacExtElementType = - (USAC_EXT_ELEMENT_TYPE)escapedValue(hBs, 4, 8, 16); + int usacExtElementType = escapedValue(hBs, 4, 8, 16); /* recurve extension elements which are invalid for USAC */ if (aot == AOT_USAC) { @@ -1567,7 +1566,7 @@ static TRANSPORTDEC_ERROR extElementConfig(CSUsacExtElementConfig *extElement, } } - extElement->usacExtElementType = usacExtElementType; + extElement->usacExtElementType = (USAC_EXT_ELEMENT_TYPE)usacExtElementType; int usacExtElementConfigLength = escapedValue(hBs, 4, 8, 16); extElement->usacExtElementConfigLength = (USHORT)usacExtElementConfigLength; INT bsAnchor; @@ -1631,14 +1630,14 @@ static TRANSPORTDEC_ERROR configExtension(CSUsacConfig *usc, TRANSPORTDEC_ERROR ErrorStatus = TRANSPORTDEC_OK; int numConfigExtensions; - CONFIG_EXT_ID usacConfigExtType; + int usacConfigExtType; int usacConfigExtLength; numConfigExtensions = (int)escapedValue(hBs, 2, 4, 8) + 1; for (int confExtIdx = 0; confExtIdx < numConfigExtensions; confExtIdx++) { INT nbits; int loudnessInfoSetConfigExtensionPosition = FDKgetValidBits(hBs); - usacConfigExtType = (CONFIG_EXT_ID)escapedValue(hBs, 4, 8, 16); + usacConfigExtType = escapedValue(hBs, 4, 8, 16); usacConfigExtLength = (int)escapedValue(hBs, 4, 8, 16); /* Start bit position of config extension */ |