mirror of https://github.com/mstorsjo/fdk-aac.git
Fix fuzzer's use of aacDecoder_DecodeFrame
The aacDecoder_DecodeFrame function takes a size in numbers of samples (INT_PCM), not a number of bytes. Using a number of bytes caused the FDK to believe the array was larger than it really was. Therefore on invalid frames, it would try to clear a size larger than was really available, causing an OOB crash. Bug: 161014225 Test: check clusterfuzz results for case 6217304556437504 Change-Id: I9278898a17c1c961c568e841c6037d0c14bcc8b4
This commit is contained in:
parent
6c00295b87
commit
f451278f0e
|
@ -118,7 +118,8 @@ void Codec::decodeFrames(UCHAR *data, UINT size) {
|
||||||
INT_PCM outputBuf[kMaxOutBufferSize];
|
INT_PCM outputBuf[kMaxOutBufferSize];
|
||||||
do {
|
do {
|
||||||
mErrorCode =
|
mErrorCode =
|
||||||
aacDecoder_DecodeFrame(mAacDecoderHandle, outputBuf, sizeof(outputBuf), 0);
|
aacDecoder_DecodeFrame(mAacDecoderHandle, outputBuf,
|
||||||
|
kMaxOutBufferSize /*size in number of INT_PCM, not bytes*/, 0);
|
||||||
} while (mErrorCode == AAC_DEC_OK);
|
} while (mErrorCode == AAC_DEC_OK);
|
||||||
UINT offset = inputSize - valid;
|
UINT offset = inputSize - valid;
|
||||||
data += offset;
|
data += offset;
|
||||||
|
|
Loading…
Reference in New Issue