diff options
| author | Martin Storsjo <martin@martin.st> | 2017-08-03 13:59:22 +0300 |
|---|---|---|
| committer | Martin Storsjo <martin@martin.st> | 2017-08-03 14:22:30 +0300 |
| commit | ee6d9476a656195460c903bde741e96be4220660 (patch) | |
| tree | d0ff7e0844757f717aa06c8cf92d6e839a447031 | |
| parent | 52c2660c26beaaccf903759c18bb758e9f18a470 (diff) | |
| download | fdk-aac-ee6d9476a656195460c903bde741e96be4220660.tar.gz fdk-aac-ee6d9476a656195460c903bde741e96be4220660.tar.bz2 fdk-aac-ee6d9476a656195460c903bde741e96be4220660.zip | |
Check for heightLayer out of range
Alternatively, the bits read in CProgramConfig_ReadHeightExt could
be checked right there instead.
Fixes: 2802/clusterfuzz-testcase-minimized-6752357788418048
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
| -rw-r--r-- | libMpegTPDec/src/tpdec_asc.cpp | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/libMpegTPDec/src/tpdec_asc.cpp b/libMpegTPDec/src/tpdec_asc.cpp index 96a1b35..a292bcb 100644 --- a/libMpegTPDec/src/tpdec_asc.cpp +++ b/libMpegTPDec/src/tpdec_asc.cpp @@ -650,6 +650,8 @@ int CProgramConfig_LookupElement( /* search in front channels */ for (i = 0; i < pPce->NumFrontChannelElements; i++) { int heightLayer = pPce->FrontElementHeightInfo[i]; + if (heightLayer >= PC_NUM_HEIGHT_LAYER) + return 0; if (isCpe == pPce->FrontElementIsCpe[i] && pPce->FrontElementTagSelect[i] == tag) { int h, elIdx = ec[heightLayer], chIdx = cc[heightLayer]; AUDIO_CHANNEL_TYPE aChType = (AUDIO_CHANNEL_TYPE)((heightLayer<<4) | ACT_FRONT); @@ -704,6 +706,8 @@ int CProgramConfig_LookupElement( /* search in side channels */ for (i = 0; i < pPce->NumSideChannelElements; i++) { int heightLayer = pPce->SideElementHeightInfo[i]; + if (heightLayer >= PC_NUM_HEIGHT_LAYER) + return 0; if (isCpe == pPce->SideElementIsCpe[i] && pPce->SideElementTagSelect[i] == tag) { int h, elIdx = ec[heightLayer], chIdx = cc[heightLayer]; AUDIO_CHANNEL_TYPE aChType = (AUDIO_CHANNEL_TYPE)((heightLayer<<4) | ACT_SIDE); @@ -758,6 +762,8 @@ int CProgramConfig_LookupElement( /* search in back channels */ for (i = 0; i < pPce->NumBackChannelElements; i++) { int heightLayer = pPce->BackElementHeightInfo[i]; + if (heightLayer >= PC_NUM_HEIGHT_LAYER) + return 0; if (isCpe == pPce->BackElementIsCpe[i] && pPce->BackElementTagSelect[i] == tag) { int h, elIdx = ec[heightLayer], chIdx = cc[heightLayer]; AUDIO_CHANNEL_TYPE aChType = (AUDIO_CHANNEL_TYPE)((heightLayer<<4) | ACT_BACK); @@ -817,18 +823,24 @@ int CProgramConfig_LookupElement( Start with counting the front channels/elements at normal height */ for (i = 0; i < pPce->NumFrontChannelElements; i+=1) { int heightLayer = pPce->FrontElementHeightInfo[i]; + if (heightLayer >= PC_NUM_HEIGHT_LAYER) + return 0; ec[heightLayer] += 1; cc[heightLayer] += (pPce->FrontElementIsCpe[i]) ? 2 : 1; } /* Count side channels/elements at normal height */ for (i = 0; i < pPce->NumSideChannelElements; i+=1) { int heightLayer = pPce->SideElementHeightInfo[i]; + if (heightLayer >= PC_NUM_HEIGHT_LAYER) + return 0; ec[heightLayer] += 1; cc[heightLayer] += (pPce->SideElementIsCpe[i]) ? 2 : 1; } /* Count back channels/elements at normal height */ for (i = 0; i < pPce->NumBackChannelElements; i+=1) { int heightLayer = pPce->BackElementHeightInfo[i]; + if (heightLayer >= PC_NUM_HEIGHT_LAYER) + return 0; ec[heightLayer] += 1; cc[heightLayer] += (pPce->BackElementIsCpe[i]) ? 2 : 1; } |