From 9b47a5e569c5d340028bc8e9b4b289060ea7894f Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Fri, 20 Oct 2017 15:36:53 +0300 Subject: [PATCH] Add tighter sanity checks in CBlock_GetEscape We can't read 31 bits of value here, since that would place the topmost bit in the sign bit. Fixes: 3480/clusterfuzz-testcase-4573445423628288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libAACdec/src/block.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libAACdec/src/block.cpp b/libAACdec/src/block.cpp index 7d2a4b9..1280215 100644 --- a/libAACdec/src/block.cpp +++ b/libAACdec/src/block.cpp @@ -143,7 +143,8 @@ LONG CBlock_GetEscape(HANDLE_FDK_BITSTREAM bs, /*!< pointer to bitstream */ if (FDKreadBit(bs) == 0) break; } - if (i == 32) return (MAX_QUANTIZED_VALUE + 1); + /* (1 << i) will shift into the sign bit if i >= 31 */ + if (i >= 31) return (MAX_QUANTIZED_VALUE + 1); off = FDKreadBits(bs, i); i = off + (1 << i);