fenix
/
fdk-aac
mirror of https://github.com/mstorsjo/fdk-aac.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Check for heightLayer out of range 

Alternatively, the bits read in CProgramConfig_ReadHeightExt could
be checked right there instead.

Fixes: 2802/clusterfuzz-testcase-minimized-6752357788418048

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
This commit is contained in:
Martin Storsjo 2017-08-03 13:59:22 +03:00
parent 52c2660c26
commit ee6d9476a6
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
libMpegTPDec/src/tpdec_asc.cpp
View File

@ -650,6 +650,8 @@ int CProgramConfig_LookupElement(
/* search in front channels */
for (i = 0; i < pPce->NumFrontChannelElements; i++) {
int heightLayer = pPce->FrontElementHeightInfo[i];
if (heightLayer >= PC_NUM_HEIGHT_LAYER)
return 0;
if (isCpe == pPce->FrontElementIsCpe[i] && pPce->FrontElementTagSelect[i] == tag) {
int h, elIdx = ec[heightLayer], chIdx = cc[heightLayer];
AUDIO_CHANNEL_TYPE aChType = (AUDIO_CHANNEL_TYPE)((heightLayer<<4) | ACT_FRONT);
@ -704,6 +706,8 @@ int CProgramConfig_LookupElement(
/* search in side channels */
for (i = 0; i < pPce->NumSideChannelElements; i++) {
int heightLayer = pPce->SideElementHeightInfo[i];
if (heightLayer >= PC_NUM_HEIGHT_LAYER)
return 0;
if (isCpe == pPce->SideElementIsCpe[i] && pPce->SideElementTagSelect[i] == tag) {
int h, elIdx = ec[heightLayer], chIdx = cc[heightLayer];
AUDIO_CHANNEL_TYPE aChType = (AUDIO_CHANNEL_TYPE)((heightLayer<<4) | ACT_SIDE);
@ -758,6 +762,8 @@ int CProgramConfig_LookupElement(
/* search in back channels */
for (i = 0; i < pPce->NumBackChannelElements; i++) {
int heightLayer = pPce->BackElementHeightInfo[i];
if (heightLayer >= PC_NUM_HEIGHT_LAYER)
return 0;
if (isCpe == pPce->BackElementIsCpe[i] && pPce->BackElementTagSelect[i] == tag) {
int h, elIdx = ec[heightLayer], chIdx = cc[heightLayer];
AUDIO_CHANNEL_TYPE aChType = (AUDIO_CHANNEL_TYPE)((heightLayer<<4) | ACT_BACK);
@ -817,18 +823,24 @@ int CProgramConfig_LookupElement(
Start with counting the front channels/elements at normal height */
for (i = 0; i < pPce->NumFrontChannelElements; i+=1) {
int heightLayer = pPce->FrontElementHeightInfo[i];
if (heightLayer >= PC_NUM_HEIGHT_LAYER)
return 0;
ec[heightLayer] += 1;
cc[heightLayer] += (pPce->FrontElementIsCpe[i]) ? 2 : 1;
}
/* Count side channels/elements at normal height */
for (i = 0; i < pPce->NumSideChannelElements; i+=1) {
int heightLayer = pPce->SideElementHeightInfo[i];
if (heightLayer >= PC_NUM_HEIGHT_LAYER)
return 0;
ec[heightLayer] += 1;
cc[heightLayer] += (pPce->SideElementIsCpe[i]) ? 2 : 1;
}
/* Count back channels/elements at normal height */
for (i = 0; i < pPce->NumBackChannelElements; i+=1) {
int heightLayer = pPce->BackElementHeightInfo[i];
if (heightLayer >= PC_NUM_HEIGHT_LAYER)
return 0;
ec[heightLayer] += 1;
cc[heightLayer] += (pPce->BackElementIsCpe[i]) ? 2 : 1;
}