From 28fdc28ec436ceafb11ceb6a354e9916c5265981 Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Mon, 20 Nov 2017 12:35:32 +0200 Subject: Reapply: Avoid reading out of bounds due to too large aaIidIndexMapped Fixes: 10726/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBFDK_AAC_fuzzer-5167035365982208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libSBRdec/src/psdec.cpp | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/libSBRdec/src/psdec.cpp b/libSBRdec/src/psdec.cpp index 1f8bd25..b31b310 100644 --- a/libSBRdec/src/psdec.cpp +++ b/libSBRdec/src/psdec.cpp @@ -325,7 +325,7 @@ void initSlotBasedRotation( int env, int usb) { INT group = 0; INT bin = 0; - INT noIidSteps; + INT noIidSteps, noFactors; FIXP_SGL invL; FIXP_DBL ScaleL, ScaleR; @@ -337,9 +337,11 @@ void initSlotBasedRotation( if (h_ps_d->bsData[h_ps_d->processSlot].mpeg.bFineIidQ) { PScaleFactors = ScaleFactorsFine; /* values are shiftet right by one */ noIidSteps = NO_IID_STEPS_FINE; + noFactors = NO_IID_LEVELS_FINE; } else { PScaleFactors = ScaleFactors; /* values are shiftet right by one */ noIidSteps = NO_IID_STEPS; + noFactors = NO_IID_LEVELS; } /* dequantize and decode */ @@ -358,10 +360,13 @@ void initSlotBasedRotation( /* ScaleR and ScaleL are scaled by 1 shift right */ - ScaleR = PScaleFactors[noIidSteps + h_ps_d->specificTo.mpeg.pCoef - ->aaIidIndexMapped[env][bin]]; - ScaleL = PScaleFactors[noIidSteps - h_ps_d->specificTo.mpeg.pCoef - ->aaIidIndexMapped[env][bin]]; + ScaleL = ScaleR = 0; + if (noIidSteps + h_ps_d->specificTo.mpeg.pCoef->aaIidIndexMapped[env][bin] >= 0 && noIidSteps + h_ps_d->specificTo.mpeg.pCoef->aaIidIndexMapped[env][bin] < noFactors) + ScaleR = PScaleFactors[noIidSteps + h_ps_d->specificTo.mpeg.pCoef + ->aaIidIndexMapped[env][bin]]; + if (noIidSteps - h_ps_d->specificTo.mpeg.pCoef->aaIidIndexMapped[env][bin] >= 0 && noIidSteps - h_ps_d->specificTo.mpeg.pCoef->aaIidIndexMapped[env][bin] < noFactors) + ScaleL = PScaleFactors[noIidSteps - h_ps_d->specificTo.mpeg.pCoef + ->aaIidIndexMapped[env][bin]]; AlphasValue = 0; if (h_ps_d->specificTo.mpeg.pCoef->aaIccIndexMapped[env][bin] >= 0) -- cgit v1.2.3