[FFmpeg-cvslog] avcodec/aacdec: Fix integer overflow in argument to decode_audio_specific_config()

Michael Niedermayer git at videolan.org
Mon Aug 3 01:55:45 CEST 2015 

ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Mon Aug  3 01:22:27 2015 +0200| [7f46a641bf2540b8cf1293d5e50c0c0e34264254] | committer: Michael Niedermayer

avcodec/aacdec: Fix integer overflow in argument to decode_audio_specific_config()

Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7f46a641bf2540b8cf1293d5e50c0c0e34264254
---

 libavcodec/aacdec.c          |    2 +-
 libavcodec/aacdec_template.c |   13 +++++++++----
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c
index c036403..837102f 100644
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -496,7 +496,7 @@ static int latm_decode_frame(AVCodecContext *avctx, void *out,
             push_output_configuration(&latmctx->aac_ctx);
             if ((err = decode_audio_specific_config(
                     &latmctx->aac_ctx, avctx, &latmctx->aac_ctx.oc[1].m4ac,
-                    avctx->extradata, avctx->extradata_size*8, 1)) < 0) {
+                    avctx->extradata, avctx->extradata_size*8LL, 1)) < 0) {
                 pop_output_configuration(&latmctx->aac_ctx);
                 return err;
             }
diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c
index 1f3ef0e..c2d7d05 100644
--- a/libavcodec/aacdec_template.c
+++ b/libavcodec/aacdec_template.c
@@ -940,13 +940,18 @@ static int decode_eld_specific_config(AACContext *ac, AVCodecContext *avctx,
 static int decode_audio_specific_config(AACContext *ac,
                                         AVCodecContext *avctx,
                                         MPEG4AudioConfig *m4ac,
-                                        const uint8_t *data, int bit_size,
+                                        const uint8_t *data, int64_t bit_size,
                                         int sync_extension)
 {
     GetBitContext gb;
     int i, ret;
 
-    ff_dlog(avctx, "audio specific config size %d\n", bit_size >> 3);
+    if (bit_size < 0 || bit_size > INT_MAX) {
+        av_log(avctx, AV_LOG_ERROR, "Audio specific config size is invalid\n");
+        return AVERROR_INVALIDDATA;
+    }
+
+    ff_dlog(avctx, "audio specific config size %d\n", (int)bit_size >> 3);
     for (i = 0; i < bit_size >> 3; i++)
         ff_dlog(avctx, "%02x ", data[i]);
     ff_dlog(avctx, "\n");
@@ -1076,7 +1081,7 @@ static av_cold int aac_decode_init(AVCodecContext *avctx)
     if (avctx->extradata_size > 0) {
         if ((ret = decode_audio_specific_config(ac, ac->avctx, &ac->oc[1].m4ac,
                                                 avctx->extradata,
-                                                avctx->extradata_size * 8,
+                                                avctx->extradata_size * 8LL,
                                                 1)) < 0)
             return ret;
     } else {
@@ -3107,7 +3112,7 @@ static int aac_decode_frame(AVCodecContext *avctx, void *data,
         push_output_configuration(ac);
         if (decode_audio_specific_config(ac, ac->avctx, &ac->oc[1].m4ac,
                                          avctx->extradata,
-                                         avctx->extradata_size*8, 1) < 0) {
+                                         avctx->extradata_size*8LL, 1) < 0) {
             pop_output_configuration(ac);
             return AVERROR_INVALIDDATA;
         }

More information about the ffmpeg-cvslog mailing list