[FFmpeg-cvslog] avcodec/aacsbr_template: Check values read in read_sbr_noise()

Michael Niedermayer git at videolan.org
Thu Nov 19 13:16:23 CET 2015 

ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Thu Nov 19 13:00:27 2015 +0100| [d877b88f5188fa3d71525c8d4d404daa4798e9fb] | committer: Michael Niedermayer

avcodec/aacsbr_template: Check values read in read_sbr_noise()

Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d877b88f5188fa3d71525c8d4d404daa4798e9fb
---

 libavcodec/aacsbr_template.c |   36 ++++++++++++++++++++++++++++--------
 1 file changed, 28 insertions(+), 8 deletions(-)

diff --git a/libavcodec/aacsbr_template.c b/libavcodec/aacsbr_template.c
index 906823a..7772b68 100644
--- a/libavcodec/aacsbr_template.c
+++ b/libavcodec/aacsbr_template.c
@@ -886,7 +886,7 @@ static void read_sbr_envelope(SpectralBandReplication *sbr, GetBitContext *gb,
            sizeof(ch_data->env_facs[0]));
 }
 
-static void read_sbr_noise(SpectralBandReplication *sbr, GetBitContext *gb,
+static int read_sbr_noise(AACContext *ac, SpectralBandReplication *sbr, GetBitContext *gb,
                            SBRData *ch_data, int ch)
 {
     int i, j;
@@ -908,18 +908,29 @@ static void read_sbr_noise(SpectralBandReplication *sbr, GetBitContext *gb,
 
     for (i = 0; i < ch_data->bs_num_noise; i++) {
         if (ch_data->bs_df_noise[i]) {
-            for (j = 0; j < sbr->n_q; j++)
+            for (j = 0; j < sbr->n_q; j++) {
                 ch_data->noise_facs_q[i + 1][j] = ch_data->noise_facs_q[i][j] + delta * (get_vlc2(gb, t_huff, 9, 2) - t_lav);
+                if (ch_data->noise_facs_q[i + 1][j] > 30U) {
+                    av_log(ac->avctx, AV_LOG_ERROR, "noise_facs_q %d is invalid\n", ch_data->noise_facs_q[i + 1][j]);
+                    return AVERROR_INVALIDDATA;
+                }
+            }
         } else {
             ch_data->noise_facs_q[i + 1][0] = delta * get_bits(gb, 5); // bs_noise_start_value_balance or bs_noise_start_value_level
-            for (j = 1; j < sbr->n_q; j++)
+            for (j = 1; j < sbr->n_q; j++) {
                 ch_data->noise_facs_q[i + 1][j] = ch_data->noise_facs_q[i + 1][j - 1] + delta * (get_vlc2(gb, f_huff, 9, 3) - f_lav);
+                if (ch_data->noise_facs_q[i + 1][j] > 30U) {
+                    av_log(ac->avctx, AV_LOG_ERROR, "noise_facs_q %d is invalid\n", ch_data->noise_facs_q[i + 1][j]);
+                    return AVERROR_INVALIDDATA;
+                }
+            }
         }
     }
 
     //assign 0th elements of noise_facs_q from last elements
     memcpy(ch_data->noise_facs_q[0], ch_data->noise_facs_q[ch_data->bs_num_noise],
            sizeof(ch_data->noise_facs_q[0]));
+    return 0;
 }
 
 static void read_sbr_extension(AACContext *ac, SpectralBandReplication *sbr,
@@ -957,6 +968,8 @@ static int read_sbr_single_channel_element(AACContext *ac,
                                             SpectralBandReplication *sbr,
                                             GetBitContext *gb)
 {
+    int ret;
+
     if (get_bits1(gb)) // bs_data_extra
         skip_bits(gb, 4); // bs_reserved
 
@@ -965,7 +978,8 @@ static int read_sbr_single_channel_element(AACContext *ac,
     read_sbr_dtdf(sbr, gb, &sbr->data[0]);
     read_sbr_invf(sbr, gb, &sbr->data[0]);
     read_sbr_envelope(sbr, gb, &sbr->data[0], 0);
-    read_sbr_noise(sbr, gb, &sbr->data[0], 0);
+    if((ret = read_sbr_noise(ac, sbr, gb, &sbr->data[0], 0)) < 0)
+        return ret;
 
     if ((sbr->data[0].bs_add_harmonic_flag = get_bits1(gb)))
         get_bits1_vector(gb, sbr->data[0].bs_add_harmonic, sbr->n[1]);
@@ -977,6 +991,8 @@ static int read_sbr_channel_pair_element(AACContext *ac,
                                           SpectralBandReplication *sbr,
                                           GetBitContext *gb)
 {
+    int ret;
+
     if (get_bits1(gb))    // bs_data_extra
         skip_bits(gb, 8); // bs_reserved
 
@@ -990,9 +1006,11 @@ static int read_sbr_channel_pair_element(AACContext *ac,
         memcpy(sbr->data[1].bs_invf_mode[1], sbr->data[1].bs_invf_mode[0], sizeof(sbr->data[1].bs_invf_mode[0]));
         memcpy(sbr->data[1].bs_invf_mode[0], sbr->data[0].bs_invf_mode[0], sizeof(sbr->data[1].bs_invf_mode[0]));
         read_sbr_envelope(sbr, gb, &sbr->data[0], 0);
-        read_sbr_noise(sbr, gb, &sbr->data[0], 0);
+        if((ret = read_sbr_noise(ac, sbr, gb, &sbr->data[0], 0)) < 0)
+            return ret;
         read_sbr_envelope(sbr, gb, &sbr->data[1], 1);
-        read_sbr_noise(sbr, gb, &sbr->data[1], 1);
+        if((ret = read_sbr_noise(ac, sbr, gb, &sbr->data[1], 1)) < 0)
+            return ret;
     } else {
         if (read_sbr_grid(ac, sbr, gb, &sbr->data[0]) ||
             read_sbr_grid(ac, sbr, gb, &sbr->data[1]))
@@ -1003,8 +1021,10 @@ static int read_sbr_channel_pair_element(AACContext *ac,
         read_sbr_invf(sbr, gb, &sbr->data[1]);
         read_sbr_envelope(sbr, gb, &sbr->data[0], 0);
         read_sbr_envelope(sbr, gb, &sbr->data[1], 1);
-        read_sbr_noise(sbr, gb, &sbr->data[0], 0);
-        read_sbr_noise(sbr, gb, &sbr->data[1], 1);
+        if((ret = read_sbr_noise(ac, sbr, gb, &sbr->data[0], 0)) < 0)
+            return ret;
+        if((ret = read_sbr_noise(ac, sbr, gb, &sbr->data[1], 1)) < 0)
+            return ret;
     }
 
     if ((sbr->data[0].bs_add_harmonic_flag = get_bits1(gb)))

More information about the ffmpeg-cvslog mailing list