[FFmpeg-cvslog] aacps: check iid/icc_par more completely.
Michael Niedermayer
git at videolan.org
Fri Nov 30 22:38:31 CET 2012
ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Fri Nov 30 19:24:56 2012 +0100| [991e23519ac53adc624338b3a7628c9c289268cb] | committer: Michael Niedermayer
aacps: check iid/icc_par more completely.
Fixes global out of array read.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=991e23519ac53adc624338b3a7628c9c289268cb
---
libavcodec/aacps.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c
index c8002e2..25ed1d0 100644
--- a/libavcodec/aacps.c
+++ b/libavcodec/aacps.c
@@ -236,6 +236,7 @@ int ff_ps_read_data(AVCodecContext *avctx, GetBitContext *gb_host, PSContext *ps
if (!ps->num_env || ps->border_position[ps->num_env] < numQMFSlots - 1) {
//Create a fake envelope
int source = ps->num_env ? ps->num_env - 1 : ps->num_env_old - 1;
+ int b;
if (source >= 0 && source != ps->num_env) {
if (ps->enable_iid) {
memcpy(ps->iid_par+ps->num_env, ps->iid_par+source, sizeof(ps->iid_par[0]));
@@ -248,6 +249,22 @@ int ff_ps_read_data(AVCodecContext *avctx, GetBitContext *gb_host, PSContext *ps
memcpy(ps->opd_par+ps->num_env, ps->opd_par+source, sizeof(ps->opd_par[0]));
}
}
+ if (ps->enable_iid){
+ for (b = 0; b < ps->nr_iid_par; b++) {
+ if (FFABS(ps->iid_par[ps->num_env][b]) > 7 + 8 * ps->iid_quant) {
+ av_log(avctx, AV_LOG_ERROR, "iid_par invalid\n");
+ goto err;
+ }
+ }
+ }
+ if (ps->enable_icc){
+ for (b = 0; b < ps->nr_iid_par; b++) {
+ if (ps->icc_par[ps->num_env][b] > 7U) {
+ av_log(avctx, AV_LOG_ERROR, "icc_par invalid\n");
+ goto err;
+ }
+ }
+ }
ps->num_env++;
ps->border_position[ps->num_env] = numQMFSlots - 1;
}
More information about the ffmpeg-cvslog
mailing list