avcodec/aacsbr: check that the element type matches before applying SBR

Fixes out of array access
Fixes: signal_sigsegv_3670fc0_2818_cov_2307326154_moon.mux

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 79a98294da6cd85f8c86b34764c5e0c43b09eea3)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

2 files changed, 9 insertions, 0 deletions

diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c
index 29ec2d51a9..eb00f88f1e 100644
--- a/libavcodec/aacsbr.c
+++ b/libavcodec/aacsbr.c
@@ -1018,6 +1018,8 @@ static unsigned int read_sbr_data(AACContext *ac, SpectralBandReplication *sbr,
 {
     unsigned int cnt = get_bits_count(gb);
 
+    sbr->id_aac = id_aac;
+
     if (id_aac == TYPE_SCE || id_aac == TYPE_CCE) {
         if (read_sbr_single_channel_element(ac, sbr, gb)) {
             sbr_turnoff(sbr);
@@ -1694,6 +1696,12 @@ void ff_sbr_apply(AACContext *ac, SpectralBandReplication *sbr, int id_aac,
     int nch = (id_aac == TYPE_CPE) ? 2 : 1;
     int err;
 
+    if (id_aac != sbr->id_aac) {
+        av_log(ac->avctx, AV_LOG_ERROR,
+            "element type mismatch %d != %d\n", id_aac, sbr->id_aac);
+        sbr_turnoff(sbr);
+    }
+
     if (!sbr->kx_and_m_pushed) {
         sbr->kx[0] = sbr->kx[1];
         sbr->m[0] = sbr->m[1];
diff --git a/libavcodec/sbr.h b/libavcodec/sbr.h
index e28fccda09..ff00acba0d 100644
--- a/libavcodec/sbr.h
+++ b/libavcodec/sbr.h
@@ -137,6 +137,7 @@ typedef struct AACSBRContext {
 struct SpectralBandReplication {
     int                sample_rate;
     int                start;
+    int                id_aac;
     int                reset;
     SpectrumParameters spectrum_params;
     int                bs_amp_res_header;