Reapply: Avoid reading out of bounds due to too large aaIidIndexMapped

Fixes: 10726/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBFDK_AAC_fuzzer-5167035365982208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
2017-11-20 12:35:32 +02:00 · 2017-11-20 12:35:32 +02:00 · 28fdc28ec4
parent e6bb256130
commit 28fdc28ec4
1 changed files with 10 additions and 5 deletions
--- a/libSBRdec/src/psdec.cpp
+++ b/libSBRdec/src/psdec.cpp
@ -325,7 +325,7 @@ void initSlotBasedRotation(
    int env, int usb) {
  INT group = 0;
  INT bin = 0;
-  INT noIidSteps;
+  INT noIidSteps, noFactors;
  FIXP_SGL invL;
  FIXP_DBL ScaleL, ScaleR;
@ -337,9 +337,11 @@ void initSlotBasedRotation(
  if (h_ps_d->bsData[h_ps_d->processSlot].mpeg.bFineIidQ) {
    PScaleFactors = ScaleFactorsFine; /* values are shiftet right by one */
    noIidSteps = NO_IID_STEPS_FINE;
    noFactors = NO_IID_LEVELS_FINE;
  } else {
    PScaleFactors = ScaleFactors; /* values are shiftet right by one */
    noIidSteps = NO_IID_STEPS;
    noFactors = NO_IID_LEVELS;
  }
  /* dequantize and decode */
@ -358,10 +360,13 @@ void initSlotBasedRotation(
    /* ScaleR and ScaleL are scaled by 1 shift right */
-    ScaleR = PScaleFactors[noIidSteps + h_ps_d->specificTo.mpeg.pCoef
+    ScaleL = ScaleR = 0;
-                                            ->aaIidIndexMapped[env][bin]];
+    if (noIidSteps + h_ps_d->specificTo.mpeg.pCoef->aaIidIndexMapped[env][bin] >= 0 && noIidSteps + h_ps_d->specificTo.mpeg.pCoef->aaIidIndexMapped[env][bin] < noFactors)
-    ScaleL = PScaleFactors[noIidSteps - h_ps_d->specificTo.mpeg.pCoef
+      ScaleR = PScaleFactors[noIidSteps + h_ps_d->specificTo.mpeg.pCoef
-                                            ->aaIidIndexMapped[env][bin]];
+                                              ->aaIidIndexMapped[env][bin]];
    if (noIidSteps - h_ps_d->specificTo.mpeg.pCoef->aaIidIndexMapped[env][bin] >= 0 && noIidSteps - h_ps_d->specificTo.mpeg.pCoef->aaIidIndexMapped[env][bin] < noFactors)
      ScaleL = PScaleFactors[noIidSteps - h_ps_d->specificTo.mpeg.pCoef
                                              ->aaIidIndexMapped[env][bin]];
    AlphasValue = 0;
    if (h_ps_d->specificTo.mpeg.pCoef->aaIccIndexMapped[env][bin] >= 0)