[FFmpeg-cvslog] avcodec/aacdec: Fix runtime error: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int'

Sun Jun 18 17:24:14 EEST 2017

ffmpeg | branch: release/3.1 | Michael Niedermayer <michael at niedermayer.cc> | Wed May 17 16:45:46 2017 +0200| [f0a24f2f77d1364fb848557da19ac1dfe3ccf791] | committer: Michael Niedermayer

avcodec/aacdec: Fix runtime error: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int'

Fixes: 1656/clusterfuzz-testcase-minimized-5900404925661184

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 94d05ff15985d17aba070eaec82acd21c0da3d86)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f0a24f2f77d1364fb848557da19ac1dfe3ccf791
---

 libavcodec/aacdec.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c
index ee9b4eb45f..ffb0f22ec0 100644
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -424,6 +424,8 @@ static int read_payload_length_info(struct LATMContext *ctx, GetBitContext *gb)
     if (ctx->frame_length_type == 0) {
         int mux_slot_length = 0;
         do {
+            if (get_bits_left(gb) < 8)
+                return AVERROR_INVALIDDATA;
             tmp = get_bits(gb, 8);
             mux_slot_length += tmp;
         } while (tmp == 255);
@@ -453,7 +455,7 @@ static int read_audio_mux_element(struct LATMContext *latmctx,
     }
     if (latmctx->audio_mux_version_A == 0) {
         int mux_slot_length_bytes = read_payload_length_info(latmctx, gb);
-        if (mux_slot_length_bytes * 8 > get_bits_left(gb)) {
+        if (mux_slot_length_bytes < 0 || mux_slot_length_bytes * 8LL > get_bits_left(gb)) {
             av_log(latmctx->aac_ctx.avctx, AV_LOG_ERROR, "incomplete frame\n");
             return AVERROR_INVALIDDATA;
         } else if (mux_slot_length_bytes * 8 + 256 < get_bits_left(gb)) {

