From c366b3db8fd78013edc5968df8507473b6fa71e6 Mon Sep 17 00:00:00 2001
From: Martin Storsjo <martin@martin.st>
Date: Fri, 20 Oct 2017 15:36:53 +0300
Subject: Add tighter sanity checks in CBlock_GetEscape

We can't read 31 bits of value here, since that would place the
topmost bit in the sign bit.

Fixes: 3480/clusterfuzz-testcase-4573445423628288

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
---
 libAACdec/src/block.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'libAACdec')

diff --git a/libAACdec/src/block.cpp b/libAACdec/src/block.cpp
index bda565c..8bee2d4 100644
--- a/libAACdec/src/block.cpp
+++ b/libAACdec/src/block.cpp
@@ -138,7 +138,7 @@ LONG CBlock_GetEscape(HANDLE_FDK_BITSTREAM bs, /*!< pointer to bitstream */
 
   if (i > 16)
   {
-    if (i - 16 > CACHE_BITS) { /* cannot read more than "CACHE_BITS" bits at once in the function FDKreadBits() */
+    if (i >= 31) { /* (1 << i) will shift into the sign bit if i >= 31 */
       return (MAX_QUANTIZED_VALUE + 1); /* returning invalid value that will be captured later */
     }
 
-- 
cgit v1.2.3