From 5877c3e9599ad39e397dcfd0213d88905d192a78 Mon Sep 17 00:00:00 2001 From: Fraunhofer IIS FDK Date: Fri, 19 Oct 2018 16:46:56 +0200 Subject: Add valid bits check to adts header parser Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: I72509e3afbc4c7e5a3a6fe877edd4eed832d7204 --- libMpegTPDec/src/tpdec_adts.cpp | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/libMpegTPDec/src/tpdec_adts.cpp b/libMpegTPDec/src/tpdec_adts.cpp index 6dc0275..1a4e3fd 100644 --- a/libMpegTPDec/src/tpdec_adts.cpp +++ b/libMpegTPDec/src/tpdec_adts.cpp @@ -180,7 +180,11 @@ TRANSPORTDEC_ERROR adtsRead_DecodeHeader(HANDLE_ADTS pAdts, have channelConfig=0 and no PCE in this frame. */ FDKmemcpy(&oldPce, &pAsc->m_progrConfigElement, sizeof(CProgramConfig)); - valBits = FDKgetValidBits(hBs); + valBits = FDKgetValidBits(hBs) + ADTS_SYNCLENGTH; + + if (valBits < ADTS_HEADERLENGTH) { + return TRANSPORTDEC_NOT_ENOUGH_BITS; + } /* adts_fixed_header */ bs.mpeg_id = FDKreadBits(hBs, Adts_Length_Id); @@ -205,6 +209,10 @@ TRANSPORTDEC_ERROR adtsRead_DecodeHeader(HANDLE_ADTS pAdts, adtsHeaderLength = ADTS_HEADERLENGTH; + if (valBits < bs.frame_length * 8) { + goto bail; + } + if (!bs.protection_absent) { FDKcrcReset(&pAdts->crcInfo); FDKpushBack(hBs, 56); /* complete fixed and variable header! */ @@ -213,6 +221,9 @@ TRANSPORTDEC_ERROR adtsRead_DecodeHeader(HANDLE_ADTS pAdts, } if (!bs.protection_absent && bs.num_raw_blocks > 0) { + if ((INT)FDKgetValidBits(hBs) < bs.num_raw_blocks * 16) { + goto bail; + } for (i = 0; i < bs.num_raw_blocks; i++) { pAdts->rawDataBlockDist[i] = (USHORT)FDKreadBits(hBs, 16); adtsHeaderLength += 16; @@ -230,6 +241,11 @@ TRANSPORTDEC_ERROR adtsRead_DecodeHeader(HANDLE_ADTS pAdts, USHORT crc_check; FDKcrcEndReg(&pAdts->crcInfo, hBs, crcReg); + + if ((INT)FDKgetValidBits(hBs) < Adts_Length_CrcCheck) { + goto bail; + } + crc_check = FDKreadBits(hBs, Adts_Length_CrcCheck); adtsHeaderLength += Adts_Length_CrcCheck; @@ -343,6 +359,10 @@ TRANSPORTDEC_ERROR adtsRead_DecodeHeader(HANDLE_ADTS pAdts, FDKmemcpy(&pAdts->bs, &bs, sizeof(STRUCT_ADTS_BS)); return TRANSPORTDEC_OK; + +bail: + FDKpushBack(hBs, adtsHeaderLength); + return TRANSPORTDEC_NOT_ENOUGH_BITS; } int adtsRead_GetRawDataBlockLength(HANDLE_ADTS pAdts, INT blockNum) { -- cgit v1.2.3