fenix
/
fdk-aac
mirror of https://github.com/mstorsjo/fdk-aac.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Check for heightLayer out of range 

Alternatively, the bits read in CProgramConfig_ReadHeightExt could
be checked right there instead.

Fixes: 2802/clusterfuzz-testcase-minimized-6752357788418048

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
This commit is contained in:
Martin Storsjo 2017-08-03 13:59:22 +03:00
parent 93aff8af7f
commit 079de87687
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
libMpegTPDec/src/tpdec_asc.cpp
View File

@ -717,6 +717,8 @@ int CProgramConfig_LookupElement(CProgramConfig *pPce, UINT channelConfig,
/* search in front channels */
for (i = 0; i < pPce->NumFrontChannelElements; i++) {
int heightLayer = pPce->FrontElementHeightInfo[i];
if (heightLayer >= PC_NUM_HEIGHT_LAYER)
return 0;
if (isCpe == pPce->FrontElementIsCpe[i] &&
pPce->FrontElementTagSelect[i] == tag) {
int h, elIdx = ec[heightLayer], chIdx = cc[heightLayer];
@ -773,6 +775,8 @@ int CProgramConfig_LookupElement(CProgramConfig *pPce, UINT channelConfig,
/* search in side channels */
for (i = 0; i < pPce->NumSideChannelElements; i++) {
int heightLayer = pPce->SideElementHeightInfo[i];
if (heightLayer >= PC_NUM_HEIGHT_LAYER)
return 0;
if (isCpe == pPce->SideElementIsCpe[i] &&
pPce->SideElementTagSelect[i] == tag) {
int h, elIdx = ec[heightLayer], chIdx = cc[heightLayer];
@ -830,6 +834,8 @@ int CProgramConfig_LookupElement(CProgramConfig *pPce, UINT channelConfig,
/* search in back channels */
for (i = 0; i < pPce->NumBackChannelElements; i++) {
int heightLayer = pPce->BackElementHeightInfo[i];
if (heightLayer >= PC_NUM_HEIGHT_LAYER)
return 0;
if (isCpe == pPce->BackElementIsCpe[i] &&
pPce->BackElementTagSelect[i] == tag) {
int h, elIdx = ec[heightLayer], chIdx = cc[heightLayer];
@ -891,18 +897,24 @@ int CProgramConfig_LookupElement(CProgramConfig *pPce, UINT channelConfig,
channels/elements at normal height */
for (i = 0; i < pPce->NumFrontChannelElements; i += 1) {
int heightLayer = pPce->FrontElementHeightInfo[i];
if (heightLayer >= PC_NUM_HEIGHT_LAYER)
return 0;
ec[heightLayer] += 1;
cc[heightLayer] += (pPce->FrontElementIsCpe[i]) ? 2 : 1;
}
/* Count side channels/elements at normal height */
for (i = 0; i < pPce->NumSideChannelElements; i += 1) {
int heightLayer = pPce->SideElementHeightInfo[i];
if (heightLayer >= PC_NUM_HEIGHT_LAYER)
return 0;
ec[heightLayer] += 1;
cc[heightLayer] += (pPce->SideElementIsCpe[i]) ? 2 : 1;
}
/* Count back channels/elements at normal height */
for (i = 0; i < pPce->NumBackChannelElements; i += 1) {
int heightLayer = pPce->BackElementHeightInfo[i];
if (heightLayer >= PC_NUM_HEIGHT_LAYER)
return 0;
ec[heightLayer] += 1;
cc[heightLayer] += (pPce->BackElementIsCpe[i]) ? 2 : 1;
}