aboutsummaryrefslogtreecommitdiffstats
path: root/libMpegTPDec
diff options
context:
space:
mode:
authorJean-Michel Trivi <jmtrivi@google.com>2018-12-28 15:24:54 -0800
committerandroid-build-merger <android-build-merger@google.com>2018-12-28 15:24:54 -0800
commit29c2ad6e2aeaad2a84f352ac1dfc60ebbc256f1e (patch)
tree36d776a2396587efd4d70338a4c3e698300a290a /libMpegTPDec
parentd00da81a1d0e6bf1e66396b782e73a234464eb7a (diff)
parent61b5f49362a1714c04160da41d57f9b0560a8ff0 (diff)
downloadfdk-aac-29c2ad6e2aeaad2a84f352ac1dfc60ebbc256f1e.tar.gz
fdk-aac-29c2ad6e2aeaad2a84f352ac1dfc60ebbc256f1e.tar.bz2
fdk-aac-29c2ad6e2aeaad2a84f352ac1dfc60ebbc256f1e.zip
Merge "Add valid bits check to adts header parser" am: b622299482 am: ffb999bec4
am: 61b5f49362 Change-Id: I2fff08ec59b1b233eeb433801740c076cd665c2f
Diffstat (limited to 'libMpegTPDec')
-rw-r--r--libMpegTPDec/src/tpdec_adts.cpp22
1 files changed, 21 insertions, 1 deletions
diff --git a/libMpegTPDec/src/tpdec_adts.cpp b/libMpegTPDec/src/tpdec_adts.cpp
index 6dc0275..1a4e3fd 100644
--- a/libMpegTPDec/src/tpdec_adts.cpp
+++ b/libMpegTPDec/src/tpdec_adts.cpp
@@ -180,7 +180,11 @@ TRANSPORTDEC_ERROR adtsRead_DecodeHeader(HANDLE_ADTS pAdts,
have channelConfig=0 and no PCE in this frame. */
FDKmemcpy(&oldPce, &pAsc->m_progrConfigElement, sizeof(CProgramConfig));
- valBits = FDKgetValidBits(hBs);
+ valBits = FDKgetValidBits(hBs) + ADTS_SYNCLENGTH;
+
+ if (valBits < ADTS_HEADERLENGTH) {
+ return TRANSPORTDEC_NOT_ENOUGH_BITS;
+ }
/* adts_fixed_header */
bs.mpeg_id = FDKreadBits(hBs, Adts_Length_Id);
@@ -205,6 +209,10 @@ TRANSPORTDEC_ERROR adtsRead_DecodeHeader(HANDLE_ADTS pAdts,
adtsHeaderLength = ADTS_HEADERLENGTH;
+ if (valBits < bs.frame_length * 8) {
+ goto bail;
+ }
+
if (!bs.protection_absent) {
FDKcrcReset(&pAdts->crcInfo);
FDKpushBack(hBs, 56); /* complete fixed and variable header! */
@@ -213,6 +221,9 @@ TRANSPORTDEC_ERROR adtsRead_DecodeHeader(HANDLE_ADTS pAdts,
}
if (!bs.protection_absent && bs.num_raw_blocks > 0) {
+ if ((INT)FDKgetValidBits(hBs) < bs.num_raw_blocks * 16) {
+ goto bail;
+ }
for (i = 0; i < bs.num_raw_blocks; i++) {
pAdts->rawDataBlockDist[i] = (USHORT)FDKreadBits(hBs, 16);
adtsHeaderLength += 16;
@@ -230,6 +241,11 @@ TRANSPORTDEC_ERROR adtsRead_DecodeHeader(HANDLE_ADTS pAdts,
USHORT crc_check;
FDKcrcEndReg(&pAdts->crcInfo, hBs, crcReg);
+
+ if ((INT)FDKgetValidBits(hBs) < Adts_Length_CrcCheck) {
+ goto bail;
+ }
+
crc_check = FDKreadBits(hBs, Adts_Length_CrcCheck);
adtsHeaderLength += Adts_Length_CrcCheck;
@@ -343,6 +359,10 @@ TRANSPORTDEC_ERROR adtsRead_DecodeHeader(HANDLE_ADTS pAdts,
FDKmemcpy(&pAdts->bs, &bs, sizeof(STRUCT_ADTS_BS));
return TRANSPORTDEC_OK;
+
+bail:
+ FDKpushBack(hBs, adtsHeaderLength);
+ return TRANSPORTDEC_NOT_ENOUGH_BITS;
}
int adtsRead_GetRawDataBlockLength(HANDLE_ADTS pAdts, INT blockNum) {