1
0
mirror of https://github.com/mstorsjo/fdk-aac.git synced 2025-01-05 20:37:13 +01:00

DO NOT MERGE MPEG-4 AAC Decoder: check against invalid height info

In CProgramConfig_ReadHeightExt prevent stack overflow
 from invalid FrontElementHeightInfo array value.

Bug: 70637599
Test: see bug
Change-Id: I145414d81d7a7be711672c12f44b537c12eea308
This commit is contained in:
Jean-Michel Trivi 2018-01-12 10:08:32 -08:00
parent 5565e7791f
commit 4a54666f3e

View File

@ -118,7 +118,9 @@ int CProgramConfig_IsValid ( const CProgramConfig *pPce )
/*
* Read the extension for height info.
* return 0 if successfull or -1 if the CRC failed.
* return 0 if successfull,
* -1 if the CRC failed,
* -2 if invalid HeightInfo.
*/
static
int CProgramConfig_ReadHeightExt(
@ -146,15 +148,21 @@ int CProgramConfig_ReadHeightExt(
for (i=0; i < pPce->NumFrontChannelElements; i++)
{
pPce->FrontElementHeightInfo[i] = (UCHAR) FDKreadBits(bs,2);
if ((pPce->FrontElementHeightInfo[i] = (UCHAR) FDKreadBits(bs,2)) >= PC_NUM_HEIGHT_LAYER) {
err = -2; /* height information is out of the valid range */
}
}
for (i=0; i < pPce->NumSideChannelElements; i++)
{
pPce->SideElementHeightInfo[i] = (UCHAR) FDKreadBits(bs,2);
if ((pPce->SideElementHeightInfo[i] = (UCHAR) FDKreadBits(bs,2)) >= PC_NUM_HEIGHT_LAYER) {
err = -2; /* height information is out of the valid range */
}
}
for (i=0; i < pPce->NumBackChannelElements; i++)
{
pPce->BackElementHeightInfo[i] = (UCHAR) FDKreadBits(bs,2);
if ((pPce->BackElementHeightInfo[i] = (UCHAR) FDKreadBits(bs,2)) >= PC_NUM_HEIGHT_LAYER) {
err = -2; /* height information is out of the valid range */
}
}
FDKbyteAlign(bs, alignmentAnchor);
@ -163,6 +171,13 @@ int CProgramConfig_ReadHeightExt(
/* CRC failed */
err = -1;
}
if (err!=0) {
/* Reset whole height information in case an error occured during parsing. The return
value ensures that pPce->isValid is set to 0 and implicit channel mapping is used. */
FDKmemclear(pPce->FrontElementHeightInfo, sizeof(pPce->FrontElementHeightInfo));
FDKmemclear(pPce->SideElementHeightInfo, sizeof(pPce->SideElementHeightInfo));
FDKmemclear(pPce->BackElementHeightInfo, sizeof(pPce->BackElementHeightInfo));
}
}
else {
/* No valid extension data found -> restore the initial bitbuffer state */