summaryrefslogtreecommitdiffstats
path: root/libAACdec
diff options
context:
space:
mode:
authorMartin Storsjo <martin@martin.st>2017-10-20 15:36:53 +0300
committerMartin Storsjo <martin@martin.st>2017-10-20 16:33:25 +0300
commitc366b3db8fd78013edc5968df8507473b6fa71e6 (patch)
tree76921c37bc9dc98b9e4e097a3ce4a95e1550431d /libAACdec
parente2e35b82738dc9d5e5229477d49d557cadad4dc7 (diff)
downloadfdk-aac-c366b3db8fd78013edc5968df8507473b6fa71e6.tar.gz
fdk-aac-c366b3db8fd78013edc5968df8507473b6fa71e6.tar.bz2
fdk-aac-c366b3db8fd78013edc5968df8507473b6fa71e6.zip
Add tighter sanity checks in CBlock_GetEscape
We can't read 31 bits of value here, since that would place the topmost bit in the sign bit. Fixes: 3480/clusterfuzz-testcase-4573445423628288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Diffstat (limited to 'libAACdec')
-rw-r--r--libAACdec/src/block.cpp2
1 files changed, 1 insertions, 1 deletions
diff --git a/libAACdec/src/block.cpp b/libAACdec/src/block.cpp
index bda565c..8bee2d4 100644
--- a/libAACdec/src/block.cpp
+++ b/libAACdec/src/block.cpp
@@ -138,7 +138,7 @@ LONG CBlock_GetEscape(HANDLE_FDK_BITSTREAM bs, /*!< pointer to bitstream */
if (i > 16)
{
- if (i - 16 > CACHE_BITS) { /* cannot read more than "CACHE_BITS" bits at once in the function FDKreadBits() */
+ if (i >= 31) { /* (1 << i) will shift into the sign bit if i >= 31 */
return (MAX_QUANTIZED_VALUE + 1); /* returning invalid value that will be captured later */
}