From 991e23519ac53adc624338b3a7628c9c289268cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Nov 2012 19:24:56 +0100 Subject: aacps: check iid/icc_par more completely. Fixes global out of array read. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer --- libavcodec/aacps.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'libavcodec/aacps.c') diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c index c8002e2ae5..25ed1d0292 100644 --- a/libavcodec/aacps.c +++ b/libavcodec/aacps.c @@ -236,6 +236,7 @@ int ff_ps_read_data(AVCodecContext *avctx, GetBitContext *gb_host, PSContext *ps if (!ps->num_env || ps->border_position[ps->num_env] < numQMFSlots - 1) { //Create a fake envelope int source = ps->num_env ? ps->num_env - 1 : ps->num_env_old - 1; + int b; if (source >= 0 && source != ps->num_env) { if (ps->enable_iid) { memcpy(ps->iid_par+ps->num_env, ps->iid_par+source, sizeof(ps->iid_par[0])); @@ -248,6 +249,22 @@ int ff_ps_read_data(AVCodecContext *avctx, GetBitContext *gb_host, PSContext *ps memcpy(ps->opd_par+ps->num_env, ps->opd_par+source, sizeof(ps->opd_par[0])); } } + if (ps->enable_iid){ + for (b = 0; b < ps->nr_iid_par; b++) { + if (FFABS(ps->iid_par[ps->num_env][b]) > 7 + 8 * ps->iid_quant) { + av_log(avctx, AV_LOG_ERROR, "iid_par invalid\n"); + goto err; + } + } + } + if (ps->enable_icc){ + for (b = 0; b < ps->nr_iid_par; b++) { + if (ps->icc_par[ps->num_env][b] > 7U) { + av_log(avctx, AV_LOG_ERROR, "icc_par invalid\n"); + goto err; + } + } + } ps->num_env++; ps->border_position[ps->num_env] = numQMFSlots - 1; } -- cgit v1.2.3