aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2017-09-30 18:54:05 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2017-10-05 01:29:45 +0200
commitd0e4c3410c90d9311009b6c7105d11d4abf45f7b (patch)
tree43d54829a14b0d494f8ad70d8fc818f331c60142
parentfc1acb103ddee549190974270e56af0a2dfee9f8 (diff)
downloadffmpeg-d0e4c3410c90d9311009b6c7105d11d4abf45f7b.tar.gz
avcodec/aacdec_template: Clear tns present flag on error
Fixes: 3444/clusterfuzz-testcase-minimized-6270352105668608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit dcf9bae4a93f54cb5767bc97db4a809efd396f8b) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavcodec/aacdec_template.c44
1 files changed, 28 insertions, 16 deletions
diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c
index 13a342784e..3cb8f32403 100644
--- a/libavcodec/aacdec_template.c
+++ b/libavcodec/aacdec_template.c
@@ -1941,16 +1941,17 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce,
global_gain = get_bits(gb, 8);
if (!common_window && !scale_flag) {
- if (decode_ics_info(ac, ics, gb) < 0)
- return AVERROR_INVALIDDATA;
+ ret = decode_ics_info(ac, ics, gb);
+ if (ret < 0)
+ goto fail;
}
if ((ret = decode_band_types(ac, sce->band_type,
sce->band_type_run_end, gb, ics)) < 0)
- return ret;
+ goto fail;
if ((ret = decode_scalefactors(ac, sce->sf, gb, global_gain, ics,
sce->band_type, sce->band_type_run_end)) < 0)
- return ret;
+ goto fail;
pulse_present = 0;
if (!scale_flag) {
@@ -1958,37 +1959,48 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce,
if (ics->window_sequence[0] == EIGHT_SHORT_SEQUENCE) {
av_log(ac->avctx, AV_LOG_ERROR,
"Pulse tool not allowed in eight short sequence.\n");
- return AVERROR_INVALIDDATA;
+ ret = AVERROR_INVALIDDATA;
+ goto fail;
}
if (decode_pulses(&pulse, gb, ics->swb_offset, ics->num_swb)) {
av_log(ac->avctx, AV_LOG_ERROR,
"Pulse data corrupt or invalid.\n");
- return AVERROR_INVALIDDATA;
+ ret = AVERROR_INVALIDDATA;
+ goto fail;
}
}
tns->present = get_bits1(gb);
- if (tns->present && !er_syntax)
- if (decode_tns(ac, tns, gb, ics) < 0)
- return AVERROR_INVALIDDATA;
+ if (tns->present && !er_syntax) {
+ ret = decode_tns(ac, tns, gb, ics);
+ if (ret < 0)
+ goto fail;
+ }
if (!eld_syntax && get_bits1(gb)) {
avpriv_request_sample(ac->avctx, "SSR");
- return AVERROR_PATCHWELCOME;
+ ret = AVERROR_PATCHWELCOME;
+ goto fail;
}
// I see no textual basis in the spec for this occurring after SSR gain
// control, but this is what both reference and real implmentations do
- if (tns->present && er_syntax)
- if (decode_tns(ac, tns, gb, ics) < 0)
- return AVERROR_INVALIDDATA;
+ if (tns->present && er_syntax) {
+ ret = decode_tns(ac, tns, gb, ics);
+ if (ret < 0)
+ goto fail;
+ }
}
- if (decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present,
- &pulse, ics, sce->band_type) < 0)
- return AVERROR_INVALIDDATA;
+ ret = decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present,
+ &pulse, ics, sce->band_type);
+ if (ret < 0)
+ goto fail;
if (ac->oc[1].m4ac.object_type == AOT_AAC_MAIN && !common_window)
apply_prediction(ac, sce);
return 0;
+fail:
+ tns->present = 0;
+ return ret;
}
/**