aac: Keep decode_band_types() from eating all padding at the end of a buffer.

Due to a shortcoming in the AAC specification, if an all zero buffer is
fed to section data decoding it will never terminate. That means without
a buffer exhaustion check decode_band_types() will consume all input
buffer padding. Worse if a get_bits() implementation that returns zeros
when padding is exhausted is used, the function will never terminate.

The fixes that by added a buffer exhaustion check in the sectioning
decoding loop.

Originally committed as revision 22044 to svn://svn.ffmpeg.org/ffmpeg/trunk

1 files changed, 4 insertions, 0 deletions

diff --git a/libavcodec/aac.c b/libavcodec/aac.c
index 87eac4c74a..faf1d7287f 100644
--- a/libavcodec/aac.c
+++ b/libavcodec/aac.c
@@ -715,6 +715,10 @@ static int decode_band_types(AACContext *ac, enum BandType band_type[120],
             while ((sect_len_incr = get_bits(gb, bits)) == (1 << bits) - 1)
                 sect_end += sect_len_incr;
             sect_end += sect_len_incr;
+            if (get_bits_left(gb) < 0) {
+                av_log(ac->avccontext, AV_LOG_ERROR, overread_err);
+                return -1;
+            }
             if (sect_end > ics->max_sfb) {
                 av_log(ac->avccontext, AV_LOG_ERROR,
                        "Number of bands (%d) exceeds limit (%d).\n",