summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>2018-08-15 14:35:00 +0200
committerTim Schumacher <timschumi@gmx.de>2019-01-15 17:42:07 +0100
commitc666ea2407c6502608e6798ae09a29d3be43ab20 (patch)
treef3ae0b0aa1df8eb967395eaebafa10b7103450be
parentac21d11767b75a2aa34d92d5f384d6e4b26ef683 (diff)
downloadandroid_external_aac-c666ea2407c6502608e6798ae09a29d3be43ab20.tar.gz
android_external_aac-c666ea2407c6502608e6798ae09a29d3be43ab20.tar.bz2
android_external_aac-c666ea2407c6502608e6798ae09a29d3be43ab20.zip
Break audio element loop in case element_count becomes too large.
Bug: 112891564 Test: atest DecoderTestXheAac ; atest DecoderTestAacDrc Change-Id: I35f02d23c0cfd620088291a52d9996a0d5a17199 (cherry picked from commit 3347cfb91a7ecabf5800d72e936f04ce44752bf3)
Diffstat
-rw-r--r--libAACdec/src/aacdecoder.cpp14
1 files changed, 13 insertions, 1 deletions
diff --git a/libAACdec/src/aacdecoder.cpp b/libAACdec/src/aacdecoder.cpp
index 3a2a561..7b04ec6 100644
--- a/libAACdec/src/aacdecoder.cpp
+++ b/libAACdec/src/aacdecoder.cpp
@@ -1188,8 +1188,14 @@ LINKSPEC_CPP AAC_DECODER_ERROR CAacDecoder_DecodeFrame(
if (! (self->flags & (AC_USAC|AC_RSVD50|AC_ELD|AC_SCALABLE|AC_ER)))
type = (MP4_ELEMENT_ID) FDKreadBits(bs,3);
- else
+ else {
+ if (element_count >= (3 * ((8) * 2) + (((8) * 2)) / 2 + 4 * (1) + 1)) {
+ self->frameOK = 0;
+ ErrorStatus = AAC_DEC_PARSE_ERROR;
+ break;
+ }
type = self->elements[element_count];
+ }
setHcrType(&self->aacCommonData.overlay.aac.erHcrInfo, type);
@@ -1484,6 +1490,12 @@ LINKSPEC_CPP AAC_DECODER_ERROR CAacDecoder_DecodeFrame(
case ID_EXT:
{
+ if (element_count >= (3 * ((8) * 2) + (((8) * 2)) / 2 + 4 * (1) + 1))
+ {
+ self->frameOK = 0;
+ ErrorStatus = AAC_DEC_PARSE_ERROR;
+ break;
+ }
INT bitCnt = 0;
/* get the remaining bits of this frame */
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-27 13:35:06 +0000