From c366b3db8fd78013edc5968df8507473b6fa71e6 Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Fri, 20 Oct 2017 15:36:53 +0300 Subject: [PATCH] Add tighter sanity checks in CBlock_GetEscape We can't read 31 bits of value here, since that would place the topmost bit in the sign bit. Fixes: 3480/clusterfuzz-testcase-4573445423628288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libAACdec/src/block.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libAACdec/src/block.cpp b/libAACdec/src/block.cpp index bda565c..8bee2d4 100644 --- a/libAACdec/src/block.cpp +++ b/libAACdec/src/block.cpp @@ -138,7 +138,7 @@ LONG CBlock_GetEscape(HANDLE_FDK_BITSTREAM bs, /*!< pointer to bitstream */ if (i > 16) { - if (i - 16 > CACHE_BITS) { /* cannot read more than "CACHE_BITS" bits at once in the function FDKreadBits() */ + if (i >= 31) { /* (1 << i) will shift into the sign bit if i >= 31 */ return (MAX_QUANTIZED_VALUE + 1); /* returning invalid value that will be captured later */ }