[libav-devel] [PATCH] aac: fix infinite loop on end-of-file with sequence of 1-bits.

Ronald S. Bultje Wed, 22 Feb 2012 09:45:54 -0800

From: "Ronald S. Bultje" <[email protected]>

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: [email protected]
---
 libavcodec/aacdec.c |   11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)


diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c
index dd9eefc..6cbb637 100644
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -973,13 +973,14 @@ static int decode_band_types(AACContext *ac, enum 
BandType band_type[120],
                 av_log(ac->avctx, AV_LOG_ERROR, "invalid band type\n");
                 return -1;
             }
-            while ((sect_len_incr = get_bits(gb, bits)) == (1 << bits) - 1)
+            while ((sect_len_incr = get_bits(gb, bits)) == (1 << bits) - 1) {
+                if (get_bits_left(gb) < 0) {
+                    av_log(ac->avctx, AV_LOG_ERROR, overread_err);
+                    return -1;
+                }
                 sect_end += sect_len_incr;
-            sect_end += sect_len_incr;
-            if (get_bits_left(gb) < 0) {
-                av_log(ac->avctx, AV_LOG_ERROR, overread_err);
-                return -1;
             }
+            sect_end += sect_len_incr;
             if (sect_end > ics->max_sfb) {
                 av_log(ac->avctx, AV_LOG_ERROR,
                        "Number of bands (%d) exceeds limit (%d).\n",
-- 
1.7.7.4

_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

[libav-devel] [PATCH] aac: fix infinite loop on end-of-file with sequence of 1-bits.

Reply via email to