[FFmpeg-devel] [PATCH 3/3] avcodec/aacsbr_template: Add Check to read_sbr_envelope()

Michael Niedermayer michaelni at gmx.at
Thu Nov 19 14:17:52 CET 2015


From: Michael Niedermayer <michael at niedermayer.cc>

The limit is a conservative guess, the spec does not seem to specify a limit

Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
 libavcodec/aacsbr_template.c |   41 +++++++++++++++++++++++++++++++++--------
 1 file changed, 33 insertions(+), 8 deletions(-)

diff --git a/libavcodec/aacsbr_template.c b/libavcodec/aacsbr_template.c
index 748877d..5c1cd5c 100644
--- a/libavcodec/aacsbr_template.c
+++ b/libavcodec/aacsbr_template.c
@@ -791,7 +791,7 @@ static void read_sbr_invf(SpectralBandReplication *sbr, GetBitContext *gb,
         ch_data->bs_invf_mode[0][i] = get_bits(gb, 2);
 }
 
-static void read_sbr_envelope(SpectralBandReplication *sbr, GetBitContext *gb,
+static int read_sbr_envelope(AACContext *ac, SpectralBandReplication *sbr, GetBitContext *gb,
                               SBRData *ch_data, int ch)
 {
     int bits;
@@ -835,29 +835,49 @@ static void read_sbr_envelope(SpectralBandReplication *sbr, GetBitContext *gb,
         if (ch_data->bs_df_env[i]) {
             // bs_freq_res[0] == bs_freq_res[bs_num_env] from prev frame
             if (ch_data->bs_freq_res[i + 1] == ch_data->bs_freq_res[i]) {
-                for (j = 0; j < sbr->n[ch_data->bs_freq_res[i + 1]]; j++)
+                for (j = 0; j < sbr->n[ch_data->bs_freq_res[i + 1]]; j++) {
                     ch_data->env_facs_q[i + 1][j] = ch_data->env_facs_q[i][j] + delta * (get_vlc2(gb, t_huff, 9, 3) - t_lav);
+                    if (ch_data->env_facs_q[i + 1][j] > 127U) {
+                        av_log(ac->avctx, AV_LOG_ERROR, "env_facs_q %d is invalid\n", ch_data->env_facs_q[i + 1][j]);
+                        return AVERROR_INVALIDDATA;
+                    }
+                }
             } else if (ch_data->bs_freq_res[i + 1]) {
                 for (j = 0; j < sbr->n[ch_data->bs_freq_res[i + 1]]; j++) {
                     k = (j + odd) >> 1; // find k such that f_tablelow[k] <= f_tablehigh[j] < f_tablelow[k + 1]
                     ch_data->env_facs_q[i + 1][j] = ch_data->env_facs_q[i][k] + delta * (get_vlc2(gb, t_huff, 9, 3) - t_lav);
+                    if (ch_data->env_facs_q[i + 1][j] > 127U) {
+                        av_log(ac->avctx, AV_LOG_ERROR, "env_facs_q %d is invalid\n", ch_data->env_facs_q[i + 1][j]);
+                        return AVERROR_INVALIDDATA;
+                    }
                 }
             } else {
                 for (j = 0; j < sbr->n[ch_data->bs_freq_res[i + 1]]; j++) {
                     k = j ? 2*j - odd : 0; // find k such that f_tablehigh[k] == f_tablelow[j]
                     ch_data->env_facs_q[i + 1][j] = ch_data->env_facs_q[i][k] + delta * (get_vlc2(gb, t_huff, 9, 3) - t_lav);
+                    if (ch_data->env_facs_q[i + 1][j] > 127U) {
+                        av_log(ac->avctx, AV_LOG_ERROR, "env_facs_q %d is invalid\n", ch_data->env_facs_q[i + 1][j]);
+                        return AVERROR_INVALIDDATA;
+                    }
                 }
             }
         } else {
             ch_data->env_facs_q[i + 1][0] = delta * get_bits(gb, bits); // bs_env_start_value_balance
-            for (j = 1; j < sbr->n[ch_data->bs_freq_res[i + 1]]; j++)
+            for (j = 1; j < sbr->n[ch_data->bs_freq_res[i + 1]]; j++) {
                 ch_data->env_facs_q[i + 1][j] = ch_data->env_facs_q[i + 1][j - 1] + delta * (get_vlc2(gb, f_huff, 9, 3) - f_lav);
+                if (ch_data->env_facs_q[i + 1][j] > 127U) {
+                    av_log(ac->avctx, AV_LOG_ERROR, "env_facs_q %d is invalid\n", ch_data->env_facs_q[i + 1][j]);
+                    return AVERROR_INVALIDDATA;
+                }
+            }
         }
     }
 
     //assign 0th elements of env_facs_q from last elements
     memcpy(ch_data->env_facs_q[0], ch_data->env_facs_q[ch_data->bs_num_env],
            sizeof(ch_data->env_facs_q[0]));
+
+    return 0;
 }
 
 static int read_sbr_noise(AACContext *ac, SpectralBandReplication *sbr, GetBitContext *gb,
@@ -951,7 +971,8 @@ static int read_sbr_single_channel_element(AACContext *ac,
         return -1;
     read_sbr_dtdf(sbr, gb, &sbr->data[0]);
     read_sbr_invf(sbr, gb, &sbr->data[0]);
-    read_sbr_envelope(sbr, gb, &sbr->data[0], 0);
+    if((ret = read_sbr_envelope(ac, sbr, gb, &sbr->data[0], 0)) < 0)
+        return ret;
     if((ret = read_sbr_noise(ac, sbr, gb, &sbr->data[0], 0)) < 0)
         return ret;
 
@@ -979,10 +1000,12 @@ static int read_sbr_channel_pair_element(AACContext *ac,
         read_sbr_invf(sbr, gb, &sbr->data[0]);
         memcpy(sbr->data[1].bs_invf_mode[1], sbr->data[1].bs_invf_mode[0], sizeof(sbr->data[1].bs_invf_mode[0]));
         memcpy(sbr->data[1].bs_invf_mode[0], sbr->data[0].bs_invf_mode[0], sizeof(sbr->data[1].bs_invf_mode[0]));
-        read_sbr_envelope(sbr, gb, &sbr->data[0], 0);
+        if((ret = read_sbr_envelope(ac, sbr, gb, &sbr->data[0], 0)) < 0)
+            return ret;
         if((ret = read_sbr_noise(ac, sbr, gb, &sbr->data[0], 0)) < 0)
             return ret;
-        read_sbr_envelope(sbr, gb, &sbr->data[1], 1);
+        if((ret = read_sbr_envelope(ac, sbr, gb, &sbr->data[1], 1)) < 0)
+            return ret;
         if((ret = read_sbr_noise(ac, sbr, gb, &sbr->data[1], 1)) < 0)
             return ret;
     } else {
@@ -993,8 +1016,10 @@ static int read_sbr_channel_pair_element(AACContext *ac,
         read_sbr_dtdf(sbr, gb, &sbr->data[1]);
         read_sbr_invf(sbr, gb, &sbr->data[0]);
         read_sbr_invf(sbr, gb, &sbr->data[1]);
-        read_sbr_envelope(sbr, gb, &sbr->data[0], 0);
-        read_sbr_envelope(sbr, gb, &sbr->data[1], 1);
+        if((ret = read_sbr_envelope(ac, sbr, gb, &sbr->data[0], 0)) < 0)
+            return ret;
+        if((ret = read_sbr_envelope(ac, sbr, gb, &sbr->data[1], 1)) < 0)
+            return ret;
         if((ret = read_sbr_noise(ac, sbr, gb, &sbr->data[0], 0)) < 0)
             return ret;
         if((ret = read_sbr_noise(ac, sbr, gb, &sbr->data[1], 1)) < 0)
-- 
1.7.9.5



More information about the ffmpeg-devel mailing list