[SCM] libav/experimental: aac: Keep decode_band_types() from eating all padding at the end of a buffer.

siretart at users.alioth.debian.org siretart at users.alioth.debian.org
Sun Jun 30 17:01:36 UTC 2013


The following commit has been merged in the experimental branch:
commit c4a90caae249a8bafb7534bac41f7ae89229a672
Author: Alex Converse <alex.converse at gmail.com>
Date:   Wed Feb 24 23:56:52 2010 +0000

    aac: Keep decode_band_types() from eating all padding at the end of a buffer.
    
    Due to a shortcoming in the AAC specification, if an all zero buffer is
    fed to section data decoding it will never terminate. That means without
    a buffer exhaustion check decode_band_types() will consume all input
    buffer padding. Worse if a get_bits() implementation that returns zeros
    when padding is exhausted is used, the function will never terminate.
    
    The fixes that by added a buffer exhaustion check in the sectioning
    decoding loop.
    
    Originally committed as revision 22044 to svn://svn.ffmpeg.org/ffmpeg/trunk

diff --git a/libavcodec/aac.c b/libavcodec/aac.c
index 87eac4c..faf1d72 100644
--- a/libavcodec/aac.c
+++ b/libavcodec/aac.c
@@ -715,6 +715,10 @@ static int decode_band_types(AACContext *ac, enum BandType band_type[120],
             while ((sect_len_incr = get_bits(gb, bits)) == (1 << bits) - 1)
                 sect_end += sect_len_incr;
             sect_end += sect_len_incr;
+            if (get_bits_left(gb) < 0) {
+                av_log(ac->avccontext, AV_LOG_ERROR, overread_err);
+                return -1;
+            }
             if (sect_end > ics->max_sfb) {
                 av_log(ac->avccontext, AV_LOG_ERROR,
                        "Number of bands (%d) exceeds limit (%d).\n",

-- 
Libav/FFmpeg packaging



More information about the pkg-multimedia-commits mailing list