aacdec: add decode_channel_map overread check

All decode_channel_map calls together can easily read
more data than the amount of padding available.
Thus below patch adds an input length check before reading them.
Fixes some invalid reads with sample from
http://bugzilla.mplayerhq.hu/show_bug.cgi?id=1138

1 files changed, 4 insertions, 0 deletions

diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c
index 76b14a194c..48c0367b06 100644
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -315,6 +315,10 @@ static int decode_pce(AVCodecContext *avctx, MPEG4AudioConfig *m4ac,
     if (get_bits1(gb))
         skip_bits(gb, 3); // mixdown_coeff_index and pseudo_surround
 
+    if (get_bits_left(gb) < 4 * (num_front + num_side + num_back + num_lfe + num_assoc_data + num_cc)) {
+        av_log(avctx, AV_LOG_ERROR, overread_err);
+        return -1;
+    }
     decode_channel_map(new_che_pos[TYPE_CPE], new_che_pos[TYPE_SCE], AAC_CHANNEL_FRONT, gb, num_front);
     decode_channel_map(new_che_pos[TYPE_CPE], new_che_pos[TYPE_SCE], AAC_CHANNEL_SIDE,  gb, num_side );
     decode_channel_map(new_che_pos[TYPE_CPE], new_che_pos[TYPE_SCE], AAC_CHANNEL_BACK,  gb, num_back );