diff options
author | Alex Converse <alex.converse@gmail.com> | 2012-02-22 11:05:42 -0800 |
---|---|---|
committer | Alex Converse <alex.converse@gmail.com> | 2012-02-22 11:23:43 -0800 |
commit | 1cd9a6154bc1ac1193c703cea980ed21c3e53792 (patch) | |
tree | 54deb26653e6044bcf63e7d5795b81321e4b29da /libavcodec | |
parent | b142496c5630b9bc88fb9eaccae7f6bd62fb23e7 (diff) | |
download | ffmpeg-1cd9a6154bc1ac1193c703cea980ed21c3e53792.tar.gz |
aac: fix infinite loop on end-of-frame with sequence of 1-bits.
Based-on-work-by: Ronald S. Bultje <rsbultje@gmail.com>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Diffstat (limited to 'libavcodec')
-rw-r--r-- | libavcodec/aacdec.c | 25 |
1 files changed, 13 insertions, 12 deletions
diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index dd9eefca07..f491a098c3 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -973,19 +973,20 @@ static int decode_band_types(AACContext *ac, enum BandType band_type[120], av_log(ac->avctx, AV_LOG_ERROR, "invalid band type\n"); return -1; } - while ((sect_len_incr = get_bits(gb, bits)) == (1 << bits) - 1) + do { + sect_len_incr = get_bits(gb, bits); sect_end += sect_len_incr; - sect_end += sect_len_incr; - if (get_bits_left(gb) < 0) { - av_log(ac->avctx, AV_LOG_ERROR, overread_err); - return -1; - } - if (sect_end > ics->max_sfb) { - av_log(ac->avctx, AV_LOG_ERROR, - "Number of bands (%d) exceeds limit (%d).\n", - sect_end, ics->max_sfb); - return -1; - } + if (get_bits_left(gb) < 0) { + av_log(ac->avctx, AV_LOG_ERROR, overread_err); + return -1; + } + if (sect_end > ics->max_sfb) { + av_log(ac->avctx, AV_LOG_ERROR, + "Number of bands (%d) exceeds limit (%d).\n", + sect_end, ics->max_sfb); + return -1; + } + } while (sect_len_incr == (1 << bits) - 1); for (; k < sect_end; k++) { band_type [idx] = sect_band_type; band_type_run_end[idx++] = sect_end; |