diff options
author | Martin Storsjo <martin@martin.st> | 2017-06-11 22:59:38 +0300 |
---|---|---|
committer | Martin Storsjo <martin@martin.st> | 2017-06-12 23:44:43 +0300 |
commit | d2fa9750d5f5cc5099ed616f762aad36cf2d3e9a (patch) | |
tree | cc01d41164009b32eb662d397a386396111d26b8 /libAACdec/src/channel.cpp | |
parent | 21cb19455c08555431eb7b4a942df6a9f64c0941 (diff) | |
download | fdk-aac-d2fa9750d5f5cc5099ed616f762aad36cf2d3e9a.tar.gz fdk-aac-d2fa9750d5f5cc5099ed616f762aad36cf2d3e9a.tar.bz2 fdk-aac-d2fa9750d5f5cc5099ed616f762aad36cf2d3e9a.zip |
Make sure to end all CRC regions in the right order
This fixes assert failures, when a (corrupt/fuzzed) bitstream
doesn't trigger starting/ending CRCs properly (or when decoding
is aborted halfway when an error is encountered). Skipping ending
a CRC region doesn't trigger an assert failure, but when a later
CRC region is started and ended, an assert fails when the end
doesn't match the expected CRC region.
Fixes: 1928/clusterfuzz-testcase-minimized-6480505958563840
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Diffstat (limited to 'libAACdec/src/channel.cpp')
-rw-r--r-- | libAACdec/src/channel.cpp | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/libAACdec/src/channel.cpp b/libAACdec/src/channel.cpp index 5475079..4b182e0 100644 --- a/libAACdec/src/channel.cpp +++ b/libAACdec/src/channel.cpp @@ -411,11 +411,15 @@ AAC_DECODER_ERROR CChannelElement_Read(HANDLE_FDK_BITSTREAM hBs, case drmcrc_end_reg: if (pTpDec != NULL) { transportDec_CrcEndReg(pTpDec, crcReg1); + crcReg1 = -1; } break; case adtscrc_end_reg2: - if (pTpDec != NULL) { + if (crcReg1 != -1) { + error = AAC_DEC_DECODE_FRAME_ERROR; + } else if (pTpDec != NULL) { transportDec_CrcEndReg(pTpDec, crcReg2); + crcReg2 = -1; } break; case drmcrc_start_reg: @@ -447,5 +451,16 @@ AAC_DECODER_ERROR CChannelElement_Read(HANDLE_FDK_BITSTREAM hBs, } while (list->id[i] != end_of_sequence); bail: + if (crcReg1 != -1 || crcReg2 != -1) { + if (error == AAC_DEC_OK) { + error = AAC_DEC_DECODE_FRAME_ERROR; + } + if (crcReg1 != -1) { + transportDec_CrcEndReg(pTpDec, crcReg1); + } + if (crcReg2 != -1) { + transportDec_CrcEndReg(pTpDec, crcReg2); + } + } return error; } |