From d2fa9750d5f5cc5099ed616f762aad36cf2d3e9a Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Sun, 11 Jun 2017 22:59:38 +0300 Subject: Make sure to end all CRC regions in the right order This fixes assert failures, when a (corrupt/fuzzed) bitstream doesn't trigger starting/ending CRCs properly (or when decoding is aborted halfway when an error is encountered). Skipping ending a CRC region doesn't trigger an assert failure, but when a later CRC region is started and ended, an assert fails when the end doesn't match the expected CRC region. Fixes: 1928/clusterfuzz-testcase-minimized-6480505958563840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libAACdec/src/channel.cpp | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) (limited to 'libAACdec/src') diff --git a/libAACdec/src/channel.cpp b/libAACdec/src/channel.cpp index 5475079..4b182e0 100644 --- a/libAACdec/src/channel.cpp +++ b/libAACdec/src/channel.cpp @@ -411,11 +411,15 @@ AAC_DECODER_ERROR CChannelElement_Read(HANDLE_FDK_BITSTREAM hBs, case drmcrc_end_reg: if (pTpDec != NULL) { transportDec_CrcEndReg(pTpDec, crcReg1); + crcReg1 = -1; } break; case adtscrc_end_reg2: - if (pTpDec != NULL) { + if (crcReg1 != -1) { + error = AAC_DEC_DECODE_FRAME_ERROR; + } else if (pTpDec != NULL) { transportDec_CrcEndReg(pTpDec, crcReg2); + crcReg2 = -1; } break; case drmcrc_start_reg: @@ -447,5 +451,16 @@ AAC_DECODER_ERROR CChannelElement_Read(HANDLE_FDK_BITSTREAM hBs, } while (list->id[i] != end_of_sequence); bail: + if (crcReg1 != -1 || crcReg2 != -1) { + if (error == AAC_DEC_OK) { + error = AAC_DEC_DECODE_FRAME_ERROR; + } + if (crcReg1 != -1) { + transportDec_CrcEndReg(pTpDec, crcReg1); + } + if (crcReg2 != -1) { + transportDec_CrcEndReg(pTpDec, crcReg2); + } + } return error; } -- cgit v1.2.3