From 71953ebcf94fe4ef316cdad1f276089205dd1d65 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sun, 4 Aug 2013 15:00:02 +0200 Subject: aac: Check init_get_bits return value Some code paths can call it with invalid length. CC: libav-stable@libav.org --- libavcodec/aacdec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'libavcodec/aacdec.c') diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 659be55d0d..8eaee60d20 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -789,7 +789,8 @@ static int decode_audio_specific_config(AACContext *ac, av_dlog(avctx, "%02x ", avctx->extradata[i]); av_dlog(avctx, "\n"); - init_get_bits(&gb, data, bit_size); + if ((ret = init_get_bits(&gb, data, bit_size)) < 0) + return ret; if ((i = avpriv_mpeg4audio_get_config(m4ac, data, bit_size, sync_extension)) < 0) @@ -2635,7 +2636,8 @@ static int aac_decode_frame(AVCodecContext *avctx, void *data, } } - init_get_bits(&gb, buf, buf_size * 8); + if ((err = init_get_bits(&gb, buf, buf_size * 8)) < 0) + return err; if ((err = aac_decode_frame_int(avctx, data, got_frame_ptr, &gb)) < 0) return err; @@ -2878,7 +2880,8 @@ static int latm_decode_frame(AVCodecContext *avctx, void *out, int muxlength, err; GetBitContext gb; - init_get_bits(&gb, avpkt->data, avpkt->size * 8); + if ((err = init_get_bits(&gb, avpkt->data, avpkt->size * 8)) < 0) + return err; // check for LOAS sync word if (get_bits(&gb, 11) != LOAS_SYNC_WORD) -- cgit v1.2.3