diff options
| author | Jean-Michel Trivi <jmtrivi@google.com> | 2020-10-05 16:27:56 -0700 |
|---|---|---|
| committer | Jean-Michel Trivi <jmtrivi@google.com> | 2020-10-05 16:27:56 -0700 |
| commit | f451278f0e57a7355783d644f7083b28b41e4b4e (patch) | |
| tree | 8da47c5f9b0f9ddce2910199b3025227178e16c0 | |
| parent | 6c00295b87d897bd8d9b3d029c9d25330a91a023 (diff) | |
| download | fdk-aac-f451278f0e57a7355783d644f7083b28b41e4b4e.tar.gz fdk-aac-f451278f0e57a7355783d644f7083b28b41e4b4e.tar.bz2 fdk-aac-f451278f0e57a7355783d644f7083b28b41e4b4e.zip | |
Fix fuzzer's use of aacDecoder_DecodeFrame
The aacDecoder_DecodeFrame function takes a size in numbers of
samples (INT_PCM), not a number of bytes. Using a number of
bytes caused the FDK to believe the array was larger than it
really was. Therefore on invalid frames, it would try to
clear a size larger than was really available, causing an OOB
crash.
Bug: 161014225
Test: check clusterfuzz results for case 6217304556437504
Change-Id: I9278898a17c1c961c568e841c6037d0c14bcc8b4
| -rw-r--r-- | fuzzer/aac_dec_fuzzer.cpp | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/fuzzer/aac_dec_fuzzer.cpp b/fuzzer/aac_dec_fuzzer.cpp index b5545fc..c970197 100644 --- a/fuzzer/aac_dec_fuzzer.cpp +++ b/fuzzer/aac_dec_fuzzer.cpp @@ -118,7 +118,8 @@ void Codec::decodeFrames(UCHAR *data, UINT size) { INT_PCM outputBuf[kMaxOutBufferSize]; do { mErrorCode = - aacDecoder_DecodeFrame(mAacDecoderHandle, outputBuf, sizeof(outputBuf), 0); + aacDecoder_DecodeFrame(mAacDecoderHandle, outputBuf, + kMaxOutBufferSize /*size in number of INT_PCM, not bytes*/, 0); } while (mErrorCode == AAC_DEC_OK); UINT offset = inputSize - valid; data += offset; |