Commit 1cd9a615 authored by Alex Converse's avatar Alex Converse

aac: fix infinite loop on end-of-frame with sequence of 1-bits.

Based-on-work-by: 's avatarRonald S. Bultje <rsbultje@gmail.com>
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
parent b142496c
...@@ -973,19 +973,20 @@ static int decode_band_types(AACContext *ac, enum BandType band_type[120], ...@@ -973,19 +973,20 @@ static int decode_band_types(AACContext *ac, enum BandType band_type[120],
av_log(ac->avctx, AV_LOG_ERROR, "invalid band type\n"); av_log(ac->avctx, AV_LOG_ERROR, "invalid band type\n");
return -1; return -1;
} }
while ((sect_len_incr = get_bits(gb, bits)) == (1 << bits) - 1) do {
sect_len_incr = get_bits(gb, bits);
sect_end += sect_len_incr; sect_end += sect_len_incr;
sect_end += sect_len_incr; if (get_bits_left(gb) < 0) {
if (get_bits_left(gb) < 0) { av_log(ac->avctx, AV_LOG_ERROR, overread_err);
av_log(ac->avctx, AV_LOG_ERROR, overread_err); return -1;
return -1; }
} if (sect_end > ics->max_sfb) {
if (sect_end > ics->max_sfb) { av_log(ac->avctx, AV_LOG_ERROR,
av_log(ac->avctx, AV_LOG_ERROR, "Number of bands (%d) exceeds limit (%d).\n",
"Number of bands (%d) exceeds limit (%d).\n", sect_end, ics->max_sfb);
sect_end, ics->max_sfb); return -1;
return -1; }
} } while (sect_len_incr == (1 << bits) - 1);
for (; k < sect_end; k++) { for (; k < sect_end; k++) {
band_type [idx] = sect_band_type; band_type [idx] = sect_band_type;
band_type_run_end[idx++] = sect_end; band_type_run_end[idx++] = sect_end;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment