avcodec/aacdec: Fix integer overflow in argument to decode_audio_specific_config()
authorMichael Niedermayer <michael@niedermayer.cc>
Sun, 2 Aug 2015 23:22:27 +0000 (01:22 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Sun, 2 Aug 2015 23:41:13 +0000 (01:41 +0200)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/aacdec.c
libavcodec/aacdec_template.c

index c036403..837102f 100644 (file)
@@ -496,7 +496,7 @@ static int latm_decode_frame(AVCodecContext *avctx, void *out,
             push_output_configuration(&latmctx->aac_ctx);
             if ((err = decode_audio_specific_config(
                     &latmctx->aac_ctx, avctx, &latmctx->aac_ctx.oc[1].m4ac,
-                    avctx->extradata, avctx->extradata_size*8, 1)) < 0) {
+                    avctx->extradata, avctx->extradata_size*8LL, 1)) < 0) {
                 pop_output_configuration(&latmctx->aac_ctx);
                 return err;
             }
index 1f3ef0e..c2d7d05 100644 (file)
@@ -940,13 +940,18 @@ static int decode_eld_specific_config(AACContext *ac, AVCodecContext *avctx,
 static int decode_audio_specific_config(AACContext *ac,
                                         AVCodecContext *avctx,
                                         MPEG4AudioConfig *m4ac,
-                                        const uint8_t *data, int bit_size,
+                                        const uint8_t *data, int64_t bit_size,
                                         int sync_extension)
 {
     GetBitContext gb;
     int i, ret;
 
-    ff_dlog(avctx, "audio specific config size %d\n", bit_size >> 3);
+    if (bit_size < 0 || bit_size > INT_MAX) {
+        av_log(avctx, AV_LOG_ERROR, "Audio specific config size is invalid\n");
+        return AVERROR_INVALIDDATA;
+    }
+
+    ff_dlog(avctx, "audio specific config size %d\n", (int)bit_size >> 3);
     for (i = 0; i < bit_size >> 3; i++)
         ff_dlog(avctx, "%02x ", data[i]);
     ff_dlog(avctx, "\n");
@@ -1076,7 +1081,7 @@ static av_cold int aac_decode_init(AVCodecContext *avctx)
     if (avctx->extradata_size > 0) {
         if ((ret = decode_audio_specific_config(ac, ac->avctx, &ac->oc[1].m4ac,
                                                 avctx->extradata,
-                                                avctx->extradata_size * 8,
+                                                avctx->extradata_size * 8LL,
                                                 1)) < 0)
             return ret;
     } else {
@@ -3107,7 +3112,7 @@ static int aac_decode_frame(AVCodecContext *avctx, void *data,
         push_output_configuration(ac);
         if (decode_audio_specific_config(ac, ac->avctx, &ac->oc[1].m4ac,
                                          avctx->extradata,
-                                         avctx->extradata_size*8, 1) < 0) {
+                                         avctx->extradata_size*8LL, 1) < 0) {
             pop_output_configuration(ac);
             return AVERROR_INVALIDDATA;
         }