fenix
/
fdk-aac
mirror of https://github.com/mstorsjo/fdk-aac.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix fuzzer's use of aacDecoder_DecodeFrame 

The aacDecoder_DecodeFrame function takes a size in numbers of
samples (INT_PCM), not a number of bytes. Using a number of
bytes caused the FDK to believe the array was larger than it
really was. Therefore on invalid frames, it would try to
clear a size larger than was really available, causing an OOB
crash.

Bug: 161014225
Test: check clusterfuzz results for case 6217304556437504
Change-Id: I9278898a17c1c961c568e841c6037d0c14bcc8b4
This commit is contained in:
Jean-Michel Trivi 2020-10-05 16:27:56 -07:00
parent 6c00295b87
commit f451278f0e
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
fuzzer/aac_dec_fuzzer.cpp
View File

@ -118,7 +118,8 @@ void Codec::decodeFrames(UCHAR *data, UINT size) {
INT_PCM outputBuf[kMaxOutBufferSize];
do {
mErrorCode =
aacDecoder_DecodeFrame(mAacDecoderHandle, outputBuf, sizeof(outputBuf), 0);
aacDecoder_DecodeFrame(mAacDecoderHandle, outputBuf,
kMaxOutBufferSize /*size in number of INT_PCM, not bytes*/, 0);
} while (mErrorCode == AAC_DEC_OK);
UINT offset = inputSize - valid;
data += offset;