diff options
author | Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de> | 2018-08-15 14:35:00 +0200 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2018-09-10 23:19:16 +0000 |
commit | 61381bd0f4bc012876ccf4b63eafddd2d60c35c9 (patch) | |
tree | c50a58fbb17063bd0d3ded9243192dd41ae4d17f /libAACdec/src/aacdecoder.cpp | |
parent | c2208f2a3098410c5a4c79ad6bd4b6d7e1c0b03f (diff) | |
download | fdk-aac-61381bd0f4bc012876ccf4b63eafddd2d60c35c9.tar.gz fdk-aac-61381bd0f4bc012876ccf4b63eafddd2d60c35c9.tar.bz2 fdk-aac-61381bd0f4bc012876ccf4b63eafddd2d60c35c9.zip |
Break audio element loop in case element_count becomes too large.
Bug: 112891564
Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc
Change-Id: I35f02d23c0cfd620088291a52d9996a0d5a17199
(cherry picked from commit 3347cfb91a7ecabf5800d72e936f04ce44752bf3)
Diffstat (limited to 'libAACdec/src/aacdecoder.cpp')
-rw-r--r-- | libAACdec/src/aacdecoder.cpp | 25 |
1 files changed, 24 insertions, 1 deletions
diff --git a/libAACdec/src/aacdecoder.cpp b/libAACdec/src/aacdecoder.cpp index b8b1327..362e0b6 100644 --- a/libAACdec/src/aacdecoder.cpp +++ b/libAACdec/src/aacdecoder.cpp @@ -2519,8 +2519,14 @@ LINKSPEC_CPP AAC_DECODER_ERROR CAacDecoder_DecodeFrame( if (!(self->flags[0] & (AC_USAC | AC_RSVD50 | AC_RSV603DA | AC_ELD | AC_SCALABLE | AC_ER))) type = (MP4_ELEMENT_ID)FDKreadBits(bs, 3); - else + else { + if (element_count >= (3 * ((8) * 2) + (((8) * 2)) / 2 + 4 * (1) + 1)) { + self->frameOK = 0; + ErrorStatus = AAC_DEC_PARSE_ERROR; + break; + } type = self->elements[element_count]; + } if ((self->flags[streamIndex] & (AC_USAC | AC_RSVD50) && element_count == 0) || @@ -2564,6 +2570,11 @@ LINKSPEC_CPP AAC_DECODER_ERROR CAacDecoder_DecodeFrame( case ID_USAC_SCE: case ID_USAC_CPE: case ID_USAC_LFE: + if (element_count >= (3 * ((8) * 2) + (((8) * 2)) / 2 + 4 * (1) + 1)) { + self->frameOK = 0; + ErrorStatus = AAC_DEC_PARSE_ERROR; + break; + } el_channels = CAacDecoder_GetELChannels( type, self->usacStereoConfigIndex[element_count]); @@ -2795,12 +2806,24 @@ LINKSPEC_CPP AAC_DECODER_ERROR CAacDecoder_DecodeFrame( } break; case ID_EXT: + if (element_count >= (3 * ((8) * 2) + (((8) * 2)) / 2 + 4 * (1) + 1)) { + self->frameOK = 0; + ErrorStatus = AAC_DEC_PARSE_ERROR; + break; + } + ErrorStatus = aacDecoder_ParseExplicitMpsAndSbr( self, bs, previous_element, previous_element_index, element_count, el_cnt); break; case ID_USAC_EXT: { + if ((element_count - element_count_prev_streams) >= + TP_USAC_MAX_ELEMENTS) { + self->frameOK = 0; + ErrorStatus = AAC_DEC_PARSE_ERROR; + break; + } /* parse extension element payload q.v. rsv603daExtElement() ISO/IEC DIS 23008-3 Table 30 or UsacExElement() ISO/IEC FDIS 23003-3:2011(E) Table 21 |