[FFmpeg-cvslog] Do not allow arbitrary packet size in aac decoder.
Carl Eugen Hoyos
git at videolan.org
Thu Jan 10 13:03:41 CET 2013
ffmpeg | branch: master | Carl Eugen Hoyos <cehoyos at ag.or.at> | Thu Jan 10 13:00:19 2013 +0100| [b563afe6fa9345a62750055998a28a3926c02334] | committer: Carl Eugen Hoyos
Do not allow arbitrary packet size in aac decoder.
Fixes a crash with a file containing a 400MB packet reported in bug 420.
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b563afe6fa9345a62750055998a28a3926c02334
---
libavcodec/aacdec.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c
index 239153a..fcdfdb2 100644
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -2665,6 +2665,9 @@ static int aac_decode_frame(AVCodecContext *avctx, void *data,
if (ac->force_dmono_mode >= 0)
ac->dmono_mode = ac->force_dmono_mode;
+ if (INT_MAX / 8 <= buf_size)
+ return AVERROR_INVALIDDATA;
+
init_get_bits(&gb, buf, buf_size * 8);
if ((err = aac_decode_frame_int(avctx, data, got_frame_ptr, &gb, avpkt)) < 0)
More information about the ffmpeg-cvslog
mailing list