[FFmpeg-cvslog] aacdec: add decode_channel_map overread check

[Reimar Döffinger]

ffmpeg | branch: master | Reimar Döffinger <Reimar.Doeffinger at gmx.de> | Sat May  7 17:49:42 2011 +0200| [6fd00e9dd94ac3aecf4fa14ca6fa23c395215ac9] | committer: Reimar Döffinger

aacdec: add decode_channel_map overread check

All decode_channel_map calls together can easily read
more data than the amount of padding available.
Thus below patch adds an input length check before reading them.
Fixes some invalid reads with sample from
http://bugzilla.mplayerhq.hu/show_bug.cgi?id=1138

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6fd00e9dd94ac3aecf4fa14ca6fa23c395215ac9
---

 libavcodec/aacdec.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c
index 76b14a1..48c0367 100644
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -315,6 +315,10 @@ static int decode_pce(AVCodecContext *avctx, MPEG4AudioConfig *m4ac,
     if (get_bits1(gb))
         skip_bits(gb, 3); // mixdown_coeff_index and pseudo_surround
 
+    if (get_bits_left(gb) < 4 * (num_front + num_side + num_back + num_lfe + num_assoc_data + num_cc)) {
+        av_log(avctx, AV_LOG_ERROR, overread_err);
+        return -1;
+    }
     decode_channel_map(new_che_pos[TYPE_CPE], new_che_pos[TYPE_SCE], AAC_CHANNEL_FRONT, gb, num_front);
     decode_channel_map(new_che_pos[TYPE_CPE], new_che_pos[TYPE_SCE], AAC_CHANNEL_SIDE,  gb, num_side );
     decode_channel_map(new_che_pos[TYPE_CPE], new_che_pos[TYPE_SCE], AAC_CHANNEL_BACK,  gb, num_back );