Revision 8d637124

View differences:

libavcodec/aac.c
107 107

  
108 108
static uint32_t cbrt_tab[1<<13];
109 109

  
110
static const char overread_err[] = "Input buffer exhausted before END element found\n";
111

  
110 112
static ChannelElement *get_che(AACContext *ac, int type, int elem_id)
111 113
{
112 114
    if (ac->tag_che_map[type][elem_id]) {
......
278 280
                      GetBitContext *gb)
279 281
{
280 282
    int num_front, num_side, num_back, num_lfe, num_assoc_data, num_cc, sampling_index;
283
    int comment_len;
281 284

  
282 285
    skip_bits(gb, 2);  // object_type
283 286

  
......
312 315
    align_get_bits(gb);
313 316

  
314 317
    /* comment field, first byte is length */
315
    skip_bits_long(gb, 8 * get_bits(gb, 8));
318
    comment_len = get_bits(gb, 8) * 8;
319
    if (get_bits_left(gb) < comment_len) {
320
        av_log(ac->avccontext, AV_LOG_ERROR, overread_err);
321
        return -1;
322
    }
323
    skip_bits_long(gb, comment_len);
316 324
    return 0;
317 325
}
318 326

  
......
574 582
/**
575 583
 * Skip data_stream_element; reference: table 4.10.
576 584
 */
577
static void skip_data_stream_element(GetBitContext *gb)
585
static int skip_data_stream_element(AACContext *ac, GetBitContext *gb)
578 586
{
579 587
    int byte_align = get_bits1(gb);
580 588
    int count = get_bits(gb, 8);
......
582 590
        count += get_bits(gb, 8);
583 591
    if (byte_align)
584 592
        align_get_bits(gb);
593

  
594
    if (get_bits_left(gb) < 8 * count) {
595
        av_log(ac->avccontext, AV_LOG_ERROR, overread_err);
596
        return -1;
597
    }
585 598
    skip_bits_long(gb, 8 * count);
599
    return 0;
586 600
}
587 601

  
588 602
static int decode_prediction(AACContext *ac, IndividualChannelStream *ics,
......
1972 1986
            break;
1973 1987

  
1974 1988
        case TYPE_DSE:
1975
            skip_data_stream_element(&gb);
1976
            err = 0;
1989
            err = skip_data_stream_element(ac, &gb);
1977 1990
            break;
1978 1991

  
1979 1992
        case TYPE_PCE: {
......
1992 2005
        case TYPE_FIL:
1993 2006
            if (elem_id == 15)
1994 2007
                elem_id += get_bits(&gb, 8) - 1;
2008
            if (get_bits_left(&gb) < 8 * elem_id) {
2009
                    av_log(avccontext, AV_LOG_ERROR, overread_err);
2010
                    return -1;
2011
            }
1995 2012
            while (elem_id > 0)
1996 2013
                elem_id -= decode_extension_payload(ac, &gb, elem_id);
1997 2014
            err = 0; /* FIXME */
......
2004 2021

  
2005 2022
        if (err)
2006 2023
            return err;
2024

  
2025
        if (get_bits_left(&gb) < 3) {
2026
            av_log(avccontext, AV_LOG_ERROR, overread_err);
2027
            return -1;
2028
        }
2007 2029
    }
2008 2030

  
2009 2031
    spectral_to_sample(ac);

Also available in: Unified diff