From 3b9dd6b614edbfcb0cc31e176a0702c7a084d268 Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Wed, 2 Oct 2019 13:32:57 +0300 Subject: Avoid index-out-of-bounds in processDrcTime Fixes: 17638/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBFDK_AAC_fuzzer-5699860921057280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libDRCdec/src/drcGainDec_process.cpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libDRCdec/src/drcGainDec_process.cpp b/libDRCdec/src/drcGainDec_process.cpp index 70c9533..1894f47 100644 --- a/libDRCdec/src/drcGainDec_process.cpp +++ b/libDRCdec/src/drcGainDec_process.cpp @@ -308,6 +308,8 @@ processDrcTime(HANDLE_DRC_GAIN_DECODER hGainDec, const int activeDrcIndex, pLinearNodeBuffer[pActiveDrc->lnbIndexForChannel[c][lnbIx] + b]); else pLnbPrevious = pDummyLnb; + if (pLnbPrevious->nNodes[lnbIx] <= 0 || pLnbPrevious->nNodes[lnbIx] > 16) + return DE_NOT_OK; nodePrevious = pLnbPrevious->linearNode[lnbIx][pLnbPrevious->nNodes[lnbIx] - 1]; nodePrevious.time -= hGainDec->frameSize; -- cgit v1.2.3