diff options
| -rw-r--r-- | libAACdec/src/aacdecoder.cpp | 25 | ||||
| -rw-r--r-- | libAACdec/src/conceal.cpp | 8 | ||||
| -rw-r--r-- | libMpegTPDec/src/tpdec_asc.cpp | 4 |
3 files changed, 31 insertions, 6 deletions
diff --git a/libAACdec/src/aacdecoder.cpp b/libAACdec/src/aacdecoder.cpp index b8b1327..362e0b6 100644 --- a/libAACdec/src/aacdecoder.cpp +++ b/libAACdec/src/aacdecoder.cpp @@ -2519,8 +2519,14 @@ LINKSPEC_CPP AAC_DECODER_ERROR CAacDecoder_DecodeFrame( if (!(self->flags[0] & (AC_USAC | AC_RSVD50 | AC_RSV603DA | AC_ELD | AC_SCALABLE | AC_ER))) type = (MP4_ELEMENT_ID)FDKreadBits(bs, 3); - else + else { + if (element_count >= (3 * ((8) * 2) + (((8) * 2)) / 2 + 4 * (1) + 1)) { + self->frameOK = 0; + ErrorStatus = AAC_DEC_PARSE_ERROR; + break; + } type = self->elements[element_count]; + } if ((self->flags[streamIndex] & (AC_USAC | AC_RSVD50) && element_count == 0) || @@ -2564,6 +2570,11 @@ LINKSPEC_CPP AAC_DECODER_ERROR CAacDecoder_DecodeFrame( case ID_USAC_SCE: case ID_USAC_CPE: case ID_USAC_LFE: + if (element_count >= (3 * ((8) * 2) + (((8) * 2)) / 2 + 4 * (1) + 1)) { + self->frameOK = 0; + ErrorStatus = AAC_DEC_PARSE_ERROR; + break; + } el_channels = CAacDecoder_GetELChannels( type, self->usacStereoConfigIndex[element_count]); @@ -2795,12 +2806,24 @@ LINKSPEC_CPP AAC_DECODER_ERROR CAacDecoder_DecodeFrame( } break; case ID_EXT: + if (element_count >= (3 * ((8) * 2) + (((8) * 2)) / 2 + 4 * (1) + 1)) { + self->frameOK = 0; + ErrorStatus = AAC_DEC_PARSE_ERROR; + break; + } + ErrorStatus = aacDecoder_ParseExplicitMpsAndSbr( self, bs, previous_element, previous_element_index, element_count, el_cnt); break; case ID_USAC_EXT: { + if ((element_count - element_count_prev_streams) >= + TP_USAC_MAX_ELEMENTS) { + self->frameOK = 0; + ErrorStatus = AAC_DEC_PARSE_ERROR; + break; + } /* parse extension element payload q.v. rsv603daExtElement() ISO/IEC DIS 23008-3 Table 30 or UsacExElement() ISO/IEC FDIS 23003-3:2011(E) Table 21 diff --git a/libAACdec/src/conceal.cpp b/libAACdec/src/conceal.cpp index a6064b6..569d672 100644 --- a/libAACdec/src/conceal.cpp +++ b/libAACdec/src/conceal.cpp @@ -2080,11 +2080,11 @@ static void CConcealment_TDNoise_Apply(CConcealmentInfo *const pConcealmentInfo, noiseVal = FX_DBL2FX_PCM(fMult(noiseValLong, TDNoiseAtt)); /* add filtered noise - check for clipping, before */ - if (pcmdata[ii] > (FIXP_PCM)MAXVAL_FIXP_PCM - noiseVal && - noiseVal > (FIXP_PCM)0) { + if (noiseVal > (FIXP_PCM)0 && + pcmdata[ii] > (FIXP_PCM)MAXVAL_FIXP_PCM - noiseVal) { noiseVal = noiseVal * (FIXP_PCM)-1; - } else if (pcmdata[ii] < (FIXP_PCM)MINVAL_FIXP_PCM - noiseVal && - noiseVal < (FIXP_PCM)0) { + } else if (noiseVal < (FIXP_PCM)0 && + pcmdata[ii] < (FIXP_PCM)MINVAL_FIXP_PCM - noiseVal) { noiseVal = noiseVal * (FIXP_PCM)-1; } diff --git a/libMpegTPDec/src/tpdec_asc.cpp b/libMpegTPDec/src/tpdec_asc.cpp index b0f1c6a..8d411e8 100644 --- a/libMpegTPDec/src/tpdec_asc.cpp +++ b/libMpegTPDec/src/tpdec_asc.cpp @@ -2102,7 +2102,9 @@ TRANSPORTDEC_ERROR AudioSpecificConfig_Parse( self->m_aot = getAOT(bs); self->m_samplingFrequency = getSampleRate(bs, &self->m_samplingFrequencyIndex, 4); - if (self->m_samplingFrequency <= 0) { + if (self->m_samplingFrequency <= 0 || + (self->m_samplingFrequency > 96000 && self->m_aot != 39) || + self->m_samplingFrequency > 4 * 96000) { return TRANSPORTDEC_PARSE_ERROR; } |