avcodec/aacdec: Fix pulse position checks in decode_pulses()

Fixes out of array read Fixes: asan_static-oob_1efed25_1887_cov_2013541199_HeyYa_RA10_AAC_192K_30s.rm Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 6e42ccb9dbc13836cd52cda594f819d17af9afa2) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2014-02-03 05:04:42 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2014-02-23 14:49:29 +0100
commit: 9fb364babdc7788bf955100958ef596448e5c1b1 (patch)
tree: da8057fcff1528a0b019ea4e2217bceb26cbce0e
parent: d79419d0f993ed1c4145b0a71bbf63d0e0976022 (diff)
download: ffmpeg-9fb364babdc7788bf955100958ef596448e5c1b1.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c
index 396aa44ec5..407125713c 100644
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -1405,12 +1405,12 @@ static int decode_pulses(Pulse *pulse, GetBitContext *gb,
         return -1;
     pulse->pos[0]    = swb_offset[pulse_swb];
     pulse->pos[0]   += get_bits(gb, 5);
-    if (pulse->pos[0] > 1023)
+    if (pulse->pos[0] >= swb_offset[num_swb])
         return -1;
     pulse->amp[0]    = get_bits(gb, 4);
     for (i = 1; i < pulse->num_pulse; i++) {
         pulse->pos[i] = get_bits(gb, 5) + pulse->pos[i - 1];
-        if (pulse->pos[i] > 1023)
+        if (pulse->pos[i] >= swb_offset[num_swb])
             return -1;
         pulse->amp[i] = get_bits(gb, 4);
     }
author	Michael Niedermayer <michaelni@gmx.at>	2014-02-03 05:04:42 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2014-02-23 14:49:29 +0100
commit	9fb364babdc7788bf955100958ef596448e5c1b1 (patch)
tree	da8057fcff1528a0b019ea4e2217bceb26cbce0e
parent	d79419d0f993ed1c4145b0a71bbf63d0e0976022 (diff)
download	ffmpeg-9fb364babdc7788bf955100958ef596448e5c1b1.tar.gz