fenix
/
fdk-aac
mirror of https://github.com/mstorsjo/fdk-aac.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

MPEG-4 AAC Decoder: check against invalid height info 

In CProgramConfig_ReadHeightExt prevent stack overflow
 from invalid FrontElementHeightInfo array value.

Bug: 70637599
Test: see bug
Change-Id: I145414d81d7a7be711672c12f44b537c12eea308
This commit is contained in:
Jean-Michel Trivi 2018-01-12 10:08:32 -08:00
parent 2045658771
commit 82e17d87f0
1 changed files with 19 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
libMpegTPDec/src/tpdec_asc.cpp
View File

@ -118,7 +118,9 @@ int CProgramConfig_IsValid ( const CProgramConfig *pPce )
/*
* Read the extension for height info.
* return 0 if successfull or -1 if the CRC failed.
* return 0 if successfull,
* -1 if the CRC failed,
* -2 if invalid HeightInfo.
*/
static
int CProgramConfig_ReadHeightExt(
@ -146,15 +148,21 @@ int CProgramConfig_ReadHeightExt(
for (i=0; i < pPce->NumFrontChannelElements; i++)
{
pPce->FrontElementHeightInfo[i] = (UCHAR) FDKreadBits(bs,2);
if ((pPce->FrontElementHeightInfo[i] = (UCHAR) FDKreadBits(bs,2)) >= PC_NUM_HEIGHT_LAYER) {
err = -2; /* height information is out of the valid range */
}
}
for (i=0; i < pPce->NumSideChannelElements; i++)
{
pPce->SideElementHeightInfo[i] = (UCHAR) FDKreadBits(bs,2);
if ((pPce->SideElementHeightInfo[i] = (UCHAR) FDKreadBits(bs,2)) >= PC_NUM_HEIGHT_LAYER) {
err = -2; /* height information is out of the valid range */
}
}
for (i=0; i < pPce->NumBackChannelElements; i++)
{
pPce->BackElementHeightInfo[i] = (UCHAR) FDKreadBits(bs,2);
if ((pPce->BackElementHeightInfo[i] = (UCHAR) FDKreadBits(bs,2)) >= PC_NUM_HEIGHT_LAYER) {
err = -2; /* height information is out of the valid range */
}
}
FDKbyteAlign(bs, alignmentAnchor);
@ -163,6 +171,13 @@ int CProgramConfig_ReadHeightExt(
/* CRC failed */
err = -1;
}
if (err!=0) {
/* Reset whole height information in case an error occured during parsing. The return
value ensures that pPce->isValid is set to 0 and implicit channel mapping is used. */
FDKmemclear(pPce->FrontElementHeightInfo, sizeof(pPce->FrontElementHeightInfo));
FDKmemclear(pPce->SideElementHeightInfo, sizeof(pPce->SideElementHeightInfo));
FDKmemclear(pPce->BackElementHeightInfo, sizeof(pPce->BackElementHeightInfo));
}
}
else {
/* No valid extension data found -> restore the initial bitbuffer state */