From f09bbb8f087dc1780ce1fe236a7e27ae4e49fb14 Mon Sep 17 00:00:00 2001
From: Paul B Mahol <onemda@gmail.com>
Date: Sun, 25 Nov 2018 12:15:51 +0100
Subject: avformat/ac3dec: always skip junk bytes before sync bytes

Fixes #7278.
---
 libavcodec/ac3dec.c  | 20 +++++++++++++++++---
 libavformat/ac3dec.c |  2 +-
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c
index 43b22b7654..71419458fa 100644
--- a/libavcodec/ac3dec.c
+++ b/libavcodec/ac3dec.c
@@ -1467,7 +1467,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
     int buf_size, full_buf_size = avpkt->size;
     AC3DecodeContext *s = avctx->priv_data;
     int blk, ch, err, offset, ret;
-    int got_independent_frame = 0;
+    int skip = 0, got_independent_frame = 0;
     const uint8_t *channel_map;
     uint8_t extended_channel_map[EAC3_MAX_CHANNELS];
     const SHORTFLOAT *output[AC3_MAX_CHANNELS];
@@ -1477,6 +1477,14 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data,
     s->superframe_size = 0;
 
     buf_size = full_buf_size;
+    while (buf_size > 2) {
+        if (AV_RB16(buf) != 0x770B && AV_RL16(buf) != 0x770B) {
+            buf += 1;
+            buf_size -= 1;
+            continue;
+        }
+        break;
+    }
     /* copy input buffer to decoder context to avoid reading past the end
        of the buffer, which can be caused by a damaged input stream. */
     if (buf_size >= 2 && AV_RB16(buf) == 0x770B) {
@@ -1637,6 +1645,11 @@ dependent_frame:
         AC3HeaderInfo hdr;
         int err;
 
+        if (buf_size - s->frame_size <= 16) {
+            skip = buf_size - s->frame_size;
+            goto skip;
+        }
+
         if ((ret = init_get_bits8(&s->gbc, buf + s->frame_size, buf_size - s->frame_size)) < 0)
             return ret;
 
@@ -1657,6 +1670,7 @@ dependent_frame:
             }
         }
     }
+skip:
 
     frame->decode_error_flags = err ? FF_DECODE_ERROR_INVALID_BITSTREAM : 0;
 
@@ -1796,9 +1810,9 @@ dependent_frame:
     *got_frame_ptr = 1;
 
     if (!s->superframe_size)
-        return FFMIN(full_buf_size, s->frame_size);
+        return FFMIN(full_buf_size, s->frame_size + skip);
 
-    return FFMIN(full_buf_size, s->superframe_size);
+    return FFMIN(full_buf_size, s->superframe_size + skip);
 }
 
 /**
diff --git a/libavformat/ac3dec.c b/libavformat/ac3dec.c
index 6f423ff7eb..2718061bdc 100644
--- a/libavformat/ac3dec.c
+++ b/libavformat/ac3dec.c
@@ -47,7 +47,7 @@ static int ac3_eac3_probe(AVProbeData *p, enum AVCodecID expected_codec_id)
             uint16_t frame_size;
             int i, ret;
 
-            if(!memcmp(buf2, "\x1\x10\0\0\0\0\0\0", 8)) {
+            if(!memcmp(buf2, "\x1\x10", 2)) {
                 if (buf2 + 16 > end)
                     break;
                 buf2+=16;
-- 
cgit v1.2.3