| Message ID | 20180728123232.6191-2-michael@niedermayer.cc |
|---|---|
| State | Accepted |
| Commit | 40c2f870aec923894692752718193404151b17b2 |
| Headers | show |
On Sat, Jul 28, 2018 at 2:33 PM Michael Niedermayer <michael@niedermayer.cc> wrote: > > Fixes: Timeout > Fixes: 9552/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-6027842339995648 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/aacdec_template.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c > index 0c899285dd..b60b31a92c 100644 > --- a/libavcodec/aacdec_template.c > +++ b/libavcodec/aacdec_template.c > @@ -3122,6 +3122,7 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data, > int samples = 0, multiplier, audio_found = 0, pce_found = 0; > int is_dmono, sce_count = 0; > int payload_alignment; > + uint8_t che_presence[4][MAX_ELEM_ID] = {{0}}; > > ac->frame = data; > > @@ -3159,6 +3160,14 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data, > } > > if (elem_type < TYPE_DSE) { > + if (che_presence[elem_type][elem_id]) { > + av_log(ac->avctx, AV_LOG_ERROR, "channel element %d.%d duplicate\n", > + elem_type, elem_id); > + err = AVERROR_INVALIDDATA; > + goto fail; > + } > + che_presence[elem_type][elem_id] = 1; > + > if (!(che=get_che(ac, elem_type, elem_id))) { > av_log(ac->avctx, AV_LOG_ERROR, "channel element %d.%d is not allocated\n", > elem_type, elem_id); I've been given a AAC stream that breaks decoding after this patch. I've opened a ticket with a sample file on Trac: https://trac.ffmpeg.org/ticket/7477 - Hendrik
diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 0c899285dd..b60b31a92c 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -3122,6 +3122,7 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data, int samples = 0, multiplier, audio_found = 0, pce_found = 0; int is_dmono, sce_count = 0; int payload_alignment; + uint8_t che_presence[4][MAX_ELEM_ID] = {{0}}; ac->frame = data; @@ -3159,6 +3160,14 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data, } if (elem_type < TYPE_DSE) { + if (che_presence[elem_type][elem_id]) { + av_log(ac->avctx, AV_LOG_ERROR, "channel element %d.%d duplicate\n", + elem_type, elem_id); + err = AVERROR_INVALIDDATA; + goto fail; + } + che_presence[elem_type][elem_id] = 1; + if (!(che=get_che(ac, elem_type, elem_id))) { av_log(ac->avctx, AV_LOG_ERROR, "channel element %d.%d is not allocated\n", elem_type, elem_id);
Fixes: Timeout Fixes: 9552/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-6027842339995648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/aacdec_template.c | 9 +++++++++ 1 file changed, 9 insertions(+)