From cc5c85dd70f04178abccfd2c5539b13e01da78d8 Mon Sep 17 00:00:00 2001
From: Martin Storsjo <martin@martin.st>
Date: Thu, 15 Aug 2019 13:12:57 +0300
Subject: Avoid index-out-of-bounds in prepareDrcGain

Fixes: 15998/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBFDK_AAC_fuzzer-5756080707076096

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
---
 libDRCdec/src/drcGainDec_preprocess.cpp | 1 +
 1 file changed, 1 insertion(+)

(limited to 'libDRCdec/src/drcGainDec_preprocess.cpp')

diff --git a/libDRCdec/src/drcGainDec_preprocess.cpp b/libDRCdec/src/drcGainDec_preprocess.cpp
index c543c53..8bd41d9 100644
--- a/libDRCdec/src/drcGainDec_preprocess.cpp
+++ b/libDRCdec/src/drcGainDec_preprocess.cpp
@@ -694,6 +694,7 @@ prepareDrcGain(HANDLE_DRC_GAIN_DECODER hGainDec,
         err = _prepareDrcCharacteristic(pDChar, pCoef, b, &nodeMod);
         if (err) return err;
 
+        if (seq >= 12) return DE_PARAM_OUT_OF_RANGE;
         /* copy a node buffer and convert from dB to linear */
         pLnb->nNodes[lnbp] = fMin((int)hUniDrcGain->nNodes[seq], 16);
         for (i = 0; i < pLnb->nNodes[lnbp]; i++) {
-- 
cgit v1.2.3