Fixes: out of array read
Fixes: 1072/clusterfuzz-testcase-6456688074817536
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer
---
libavcodec/aacdec_template.c | 14 --
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c
index 98a3240597..b20855b99d 100644
--- a/libavcodec/aacdec_template.c
+++ b/libavcodec/aacdec_template.c
@@ -406,11 +406,15 @@ static uint64_t sniff_channel_order(uint8_t
(*layout_map)[3], int tags)
/**
* Save current output configuration if and only if it has been locked.
*/
-static void push_output_configuration(AACContext *ac) {
+static int push_output_configuration(AACContext *ac) {
+int pushed = 0;
+
if (ac->oc[1].status == OC_LOCKED || ac->oc[0].status == OC_NONE) {
ac->oc[0] = ac->oc[1];
+pushed = 1;
}
ac->oc[1].status = OC_NONE;
+return pushed;
}
/**
@@ -3026,7 +3030,13 @@ static int aac_decode_frame_int(AVCodecContext *avctx,
void *data,
case TYPE_PCE: {
uint8_t layout_map[MAX_ELEM_ID*4][3];
int tags;
-push_output_configuration(ac);
+
+int pushed = push_output_configuration(ac);
+if (pce_found && !pushed) {
+err = AVERROR_INVALIDDATA;
+goto fail;
+}
+
tags = decode_pce(avctx, >oc[1].m4ac, layout_map, gb,
payload_alignment);
if (tags < 0) {
--
2.11.0
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel