Fix a possible endless loop when decoding aac.
authorCarl Eugen Hoyos <cehoyos@ag.or.at>
Fri, 23 Dec 2011 10:38:37 +0000 (11:38 +0100)
committerMichael Niedermayer <michaelni@gmx.at>
Tue, 3 Jan 2012 21:27:49 +0000 (22:27 +0100)
Fixes ticket #789.
(cherry picked from commit e5de9289232c5b14572fa13e2435f9adb0b0f1ec)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/aacdec.c

index 2b2ae8a..806e1b5 100644 (file)
@@ -819,10 +819,10 @@ static int decode_band_types(AACContext *ac, enum BandType band_type[120],
                 av_log(ac->avctx, AV_LOG_ERROR, "invalid band type\n");
                 return -1;
             }
-            while ((sect_len_incr = get_bits(gb, bits)) == (1 << bits) - 1)
+            while ((sect_len_incr = get_bits(gb, bits)) == (1 << bits) - 1 && get_bits_left(gb) >= bits)
                 sect_end += sect_len_incr;
             sect_end += sect_len_incr;
-            if (get_bits_left(gb) < 0) {
+            if (get_bits_left(gb) < 0 || sect_len_incr == (1 << bits) - 1) {
                 av_log(ac->avctx, AV_LOG_ERROR, overread_err);
                 return -1;
             }