From 7f46a641bf2540b8cf1293d5e50c0c0e34264254 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Aug 2015 01:22:27 +0200 Subject: avcodec/aacdec: Fix integer overflow in argument to decode_audio_specific_config() Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'libavcodec/aacdec_template.c') diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 1f3ef0ea38..c2d7d05650 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -940,13 +940,18 @@ static int decode_eld_specific_config(AACContext *ac, AVCodecContext *avctx, static int decode_audio_specific_config(AACContext *ac, AVCodecContext *avctx, MPEG4AudioConfig *m4ac, - const uint8_t *data, int bit_size, + const uint8_t *data, int64_t bit_size, int sync_extension) { GetBitContext gb; int i, ret; - ff_dlog(avctx, "audio specific config size %d\n", bit_size >> 3); + if (bit_size < 0 || bit_size > INT_MAX) { + av_log(avctx, AV_LOG_ERROR, "Audio specific config size is invalid\n"); + return AVERROR_INVALIDDATA; + } + + ff_dlog(avctx, "audio specific config size %d\n", (int)bit_size >> 3); for (i = 0; i < bit_size >> 3; i++) ff_dlog(avctx, "%02x ", data[i]); ff_dlog(avctx, "\n"); @@ -1076,7 +1081,7 @@ static av_cold int aac_decode_init(AVCodecContext *avctx) if (avctx->extradata_size > 0) { if ((ret = decode_audio_specific_config(ac, ac->avctx, &ac->oc[1].m4ac, avctx->extradata, - avctx->extradata_size * 8, + avctx->extradata_size * 8LL, 1)) < 0) return ret; } else { @@ -3107,7 +3112,7 @@ static int aac_decode_frame(AVCodecContext *avctx, void *data, push_output_configuration(ac); if (decode_audio_specific_config(ac, ac->avctx, &ac->oc[1].m4ac, avctx->extradata, - avctx->extradata_size*8, 1) < 0) { + avctx->extradata_size*8LL, 1) < 0) { pop_output_configuration(ac); return AVERROR_INVALIDDATA; } -- cgit v1.2.3