diff options
author | Alex Converse <alex.converse@gmail.com> | 2012-02-22 11:05:42 -0800 |
---|---|---|
committer | Reinhard Tartler <siretart@tauware.de> | 2012-04-01 18:33:26 +0200 |
commit | bf9f26cef73eea9d9c2e73b89a5fe88e5aedc737 (patch) | |
tree | 942d7526f990853a5cf02cd9afc8358eacdc833e | |
parent | 0fbde741cbca76e826d0dce446480b02da5f6706 (diff) | |
download | ffmpeg-bf9f26cef73eea9d9c2e73b89a5fe88e5aedc737.tar.gz |
aac: fix infinite loop on end-of-frame with sequence of 1-bits.
Based-on-work-by: Ronald S. Bultje <rsbultje@gmail.com>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 1cd9a6154bc1ac1193c703cea980ed21c3e53792)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
-rw-r--r-- | libavcodec/aacdec.c | 25 |
1 files changed, 13 insertions, 12 deletions
diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index f1203d307e..cf7b43d53f 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -752,19 +752,20 @@ static int decode_band_types(AACContext *ac, enum BandType band_type[120], av_log(ac->avctx, AV_LOG_ERROR, "invalid band type\n"); return -1; } - while ((sect_len_incr = get_bits(gb, bits)) == (1 << bits) - 1) + do { + sect_len_incr = get_bits(gb, bits); sect_end += sect_len_incr; - sect_end += sect_len_incr; - if (get_bits_left(gb) < 0) { - av_log(ac->avctx, AV_LOG_ERROR, overread_err); - return -1; - } - if (sect_end > ics->max_sfb) { - av_log(ac->avctx, AV_LOG_ERROR, - "Number of bands (%d) exceeds limit (%d).\n", - sect_end, ics->max_sfb); - return -1; - } + if (get_bits_left(gb) < 0) { + av_log(ac->avctx, AV_LOG_ERROR, overread_err); + return -1; + } + if (sect_end > ics->max_sfb) { + av_log(ac->avctx, AV_LOG_ERROR, + "Number of bands (%d) exceeds limit (%d).\n", + sect_end, ics->max_sfb); + return -1; + } + } while (sect_len_incr == (1 << bits) - 1); for (; k < sect_end; k++) { band_type [idx] = sect_band_type; band_type_run_end[idx++] = sect_end; |