[SCM] libav/experimental: aac: Keep decode_band_types() from eating all padding at the end of a buffer.
siretart at users.alioth.debian.org
siretart at users.alioth.debian.org
Sun Jun 30 17:01:36 UTC 2013
The following commit has been merged in the experimental branch:
commit c4a90caae249a8bafb7534bac41f7ae89229a672
Author: Alex Converse <alex.converse at gmail.com>
Date: Wed Feb 24 23:56:52 2010 +0000
aac: Keep decode_band_types() from eating all padding at the end of a buffer.
Due to a shortcoming in the AAC specification, if an all zero buffer is
fed to section data decoding it will never terminate. That means without
a buffer exhaustion check decode_band_types() will consume all input
buffer padding. Worse if a get_bits() implementation that returns zeros
when padding is exhausted is used, the function will never terminate.
The fixes that by added a buffer exhaustion check in the sectioning
decoding loop.
Originally committed as revision 22044 to svn://svn.ffmpeg.org/ffmpeg/trunk
diff --git a/libavcodec/aac.c b/libavcodec/aac.c
index 87eac4c..faf1d72 100644
--- a/libavcodec/aac.c
+++ b/libavcodec/aac.c
@@ -715,6 +715,10 @@ static int decode_band_types(AACContext *ac, enum BandType band_type[120],
while ((sect_len_incr = get_bits(gb, bits)) == (1 << bits) - 1)
sect_end += sect_len_incr;
sect_end += sect_len_incr;
+ if (get_bits_left(gb) < 0) {
+ av_log(ac->avccontext, AV_LOG_ERROR, overread_err);
+ return -1;
+ }
if (sect_end > ics->max_sfb) {
av_log(ac->avccontext, AV_LOG_ERROR,
"Number of bands (%d) exceeds limit (%d).\n",
--
Libav/FFmpeg packaging
More information about the pkg-multimedia-commits
mailing list