[FFmpeg-cvslog] Do not allow arbitrary packet size in aac decoder.

Carl Eugen Hoyos git at videolan.org
Thu Jan 10 13:03:41 CET 2013


ffmpeg | branch: master | Carl Eugen Hoyos <cehoyos at ag.or.at> | Thu Jan 10 13:00:19 2013 +0100| [b563afe6fa9345a62750055998a28a3926c02334] | committer: Carl Eugen Hoyos

Do not allow arbitrary packet size in aac decoder.

Fixes a crash with a file containing a 400MB packet reported in bug 420.

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b563afe6fa9345a62750055998a28a3926c02334
---

 libavcodec/aacdec.c |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c
index 239153a..fcdfdb2 100644
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -2665,6 +2665,9 @@ static int aac_decode_frame(AVCodecContext *avctx, void *data,
     if (ac->force_dmono_mode >= 0)
         ac->dmono_mode = ac->force_dmono_mode;
 
+    if (INT_MAX / 8 <= buf_size)
+        return AVERROR_INVALIDDATA;
+
     init_get_bits(&gb, buf, buf_size * 8);
 
     if ((err = aac_decode_frame_int(avctx, data, got_frame_ptr, &gb, avpkt)) < 0)



More information about the ffmpeg-cvslog mailing list