From 625b582d5a9196c582e7702b542b3e0face30ccf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Nov 2015 14:06:57 +0100 Subject: [PATCH] avcodec/aacsbr_template: Add Check to read_sbr_envelope() The limit is a conservative guess, the spec does not seem to specify a limit Reviewed-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_template.c | 41 +++++++++++++++++++++++++++++------- 1 file changed, 33 insertions(+), 8 deletions(-) diff --git a/libavcodec/aacsbr_template.c b/libavcodec/aacsbr_template.c index dd3c7496ff..733e619b78 100644 --- a/libavcodec/aacsbr_template.c +++ b/libavcodec/aacsbr_template.c @@ -793,7 +793,7 @@ static void read_sbr_invf(SpectralBandReplication *sbr, GetBitContext *gb, ch_data->bs_invf_mode[0][i] = get_bits(gb, 2); } -static void read_sbr_envelope(SpectralBandReplication *sbr, GetBitContext *gb, +static int read_sbr_envelope(AACContext *ac, SpectralBandReplication *sbr, GetBitContext *gb, SBRData *ch_data, int ch) { int bits; @@ -837,29 +837,49 @@ static void read_sbr_envelope(SpectralBandReplication *sbr, GetBitContext *gb, if (ch_data->bs_df_env[i]) { // bs_freq_res[0] == bs_freq_res[bs_num_env] from prev frame if (ch_data->bs_freq_res[i + 1] == ch_data->bs_freq_res[i]) { - for (j = 0; j < sbr->n[ch_data->bs_freq_res[i + 1]]; j++) + for (j = 0; j < sbr->n[ch_data->bs_freq_res[i + 1]]; j++) { ch_data->env_facs_q[i + 1][j] = ch_data->env_facs_q[i][j] + delta * (get_vlc2(gb, t_huff, 9, 3) - t_lav); + if (ch_data->env_facs_q[i + 1][j] > 127U) { + av_log(ac->avctx, AV_LOG_ERROR, "env_facs_q %d is invalid\n", ch_data->env_facs_q[i + 1][j]); + return AVERROR_INVALIDDATA; + } + } } else if (ch_data->bs_freq_res[i + 1]) { for (j = 0; j < sbr->n[ch_data->bs_freq_res[i + 1]]; j++) { k = (j + odd) >> 1; // find k such that f_tablelow[k] <= f_tablehigh[j] < f_tablelow[k + 1] ch_data->env_facs_q[i + 1][j] = ch_data->env_facs_q[i][k] + delta * (get_vlc2(gb, t_huff, 9, 3) - t_lav); + if (ch_data->env_facs_q[i + 1][j] > 127U) { + av_log(ac->avctx, AV_LOG_ERROR, "env_facs_q %d is invalid\n", ch_data->env_facs_q[i + 1][j]); + return AVERROR_INVALIDDATA; + } } } else { for (j = 0; j < sbr->n[ch_data->bs_freq_res[i + 1]]; j++) { k = j ? 2*j - odd : 0; // find k such that f_tablehigh[k] == f_tablelow[j] ch_data->env_facs_q[i + 1][j] = ch_data->env_facs_q[i][k] + delta * (get_vlc2(gb, t_huff, 9, 3) - t_lav); + if (ch_data->env_facs_q[i + 1][j] > 127U) { + av_log(ac->avctx, AV_LOG_ERROR, "env_facs_q %d is invalid\n", ch_data->env_facs_q[i + 1][j]); + return AVERROR_INVALIDDATA; + } } } } else { ch_data->env_facs_q[i + 1][0] = delta * get_bits(gb, bits); // bs_env_start_value_balance - for (j = 1; j < sbr->n[ch_data->bs_freq_res[i + 1]]; j++) + for (j = 1; j < sbr->n[ch_data->bs_freq_res[i + 1]]; j++) { ch_data->env_facs_q[i + 1][j] = ch_data->env_facs_q[i + 1][j - 1] + delta * (get_vlc2(gb, f_huff, 9, 3) - f_lav); + if (ch_data->env_facs_q[i + 1][j] > 127U) { + av_log(ac->avctx, AV_LOG_ERROR, "env_facs_q %d is invalid\n", ch_data->env_facs_q[i + 1][j]); + return AVERROR_INVALIDDATA; + } + } } } //assign 0th elements of env_facs_q from last elements memcpy(ch_data->env_facs_q[0], ch_data->env_facs_q[ch_data->bs_num_env], sizeof(ch_data->env_facs_q[0])); + + return 0; } static int read_sbr_noise(AACContext *ac, SpectralBandReplication *sbr, GetBitContext *gb, @@ -953,7 +973,8 @@ static int read_sbr_single_channel_element(AACContext *ac, return -1; read_sbr_dtdf(sbr, gb, &sbr->data[0]); read_sbr_invf(sbr, gb, &sbr->data[0]); - read_sbr_envelope(sbr, gb, &sbr->data[0], 0); + if((ret = read_sbr_envelope(ac, sbr, gb, &sbr->data[0], 0)) < 0) + return ret; if((ret = read_sbr_noise(ac, sbr, gb, &sbr->data[0], 0)) < 0) return ret; @@ -981,10 +1002,12 @@ static int read_sbr_channel_pair_element(AACContext *ac, read_sbr_invf(sbr, gb, &sbr->data[0]); memcpy(sbr->data[1].bs_invf_mode[1], sbr->data[1].bs_invf_mode[0], sizeof(sbr->data[1].bs_invf_mode[0])); memcpy(sbr->data[1].bs_invf_mode[0], sbr->data[0].bs_invf_mode[0], sizeof(sbr->data[1].bs_invf_mode[0])); - read_sbr_envelope(sbr, gb, &sbr->data[0], 0); + if((ret = read_sbr_envelope(ac, sbr, gb, &sbr->data[0], 0)) < 0) + return ret; if((ret = read_sbr_noise(ac, sbr, gb, &sbr->data[0], 0)) < 0) return ret; - read_sbr_envelope(sbr, gb, &sbr->data[1], 1); + if((ret = read_sbr_envelope(ac, sbr, gb, &sbr->data[1], 1)) < 0) + return ret; if((ret = read_sbr_noise(ac, sbr, gb, &sbr->data[1], 1)) < 0) return ret; } else { @@ -995,8 +1018,10 @@ static int read_sbr_channel_pair_element(AACContext *ac, read_sbr_dtdf(sbr, gb, &sbr->data[1]); read_sbr_invf(sbr, gb, &sbr->data[0]); read_sbr_invf(sbr, gb, &sbr->data[1]); - read_sbr_envelope(sbr, gb, &sbr->data[0], 0); - read_sbr_envelope(sbr, gb, &sbr->data[1], 1); + if((ret = read_sbr_envelope(ac, sbr, gb, &sbr->data[0], 0)) < 0) + return ret; + if((ret = read_sbr_envelope(ac, sbr, gb, &sbr->data[1], 1)) < 0) + return ret; if((ret = read_sbr_noise(ac, sbr, gb, &sbr->data[0], 0)) < 0) return ret; if((ret = read_sbr_noise(ac, sbr, gb, &sbr->data[1], 1)) < 0)