diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2015-07-01 02:05:43 +0200 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2015-07-01 02:33:45 +0200 |
commit | 79a98294da6cd85f8c86b34764c5e0c43b09eea3 (patch) | |
tree | 06beefe55ab66bdbb0a9af09d158b3a109cfc4c1 | |
parent | 4ebb43f19c416e1601730ca9ae57749b1385c563 (diff) | |
download | ffmpeg-79a98294da6cd85f8c86b34764c5e0c43b09eea3.tar.gz |
avcodec/aacsbr: check that the element type matches before applying SBR
Fixes out of array access
Fixes: signal_sigsegv_3670fc0_2818_cov_2307326154_moon.mux
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r-- | libavcodec/aacsbr.c | 8 | ||||
-rw-r--r-- | libavcodec/sbr.h | 1 |
2 files changed, 9 insertions, 0 deletions
diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c index 7e98834c49..ca6dad7c00 100644 --- a/libavcodec/aacsbr.c +++ b/libavcodec/aacsbr.c @@ -1019,6 +1019,8 @@ static unsigned int read_sbr_data(AACContext *ac, SpectralBandReplication *sbr, { unsigned int cnt = get_bits_count(gb); + sbr->id_aac = id_aac; + if (id_aac == TYPE_SCE || id_aac == TYPE_CCE) { if (read_sbr_single_channel_element(ac, sbr, gb)) { sbr_turnoff(sbr); @@ -1695,6 +1697,12 @@ void ff_sbr_apply(AACContext *ac, SpectralBandReplication *sbr, int id_aac, int nch = (id_aac == TYPE_CPE) ? 2 : 1; int err; + if (id_aac != sbr->id_aac) { + av_log(ac->avctx, AV_LOG_ERROR, + "element type mismatch %d != %d\n", id_aac, sbr->id_aac); + sbr_turnoff(sbr); + } + if (!sbr->kx_and_m_pushed) { sbr->kx[0] = sbr->kx[1]; sbr->m[0] = sbr->m[1]; diff --git a/libavcodec/sbr.h b/libavcodec/sbr.h index e28fccda09..ff00acba0d 100644 --- a/libavcodec/sbr.h +++ b/libavcodec/sbr.h @@ -137,6 +137,7 @@ typedef struct AACSBRContext { struct SpectralBandReplication { int sample_rate; int start; + int id_aac; int reset; SpectrumParameters spectrum_params; int bs_amp_res_header; |