aacdec: reset max_sfb on invalid data.

Fixes global out of array read. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

aacdec: reset max_sfb on invalid data.
Fixes global out of array read. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
5a4af049 · Michael Niedermayer · 3583c870 · 5a4af049
Commit 5a4af049 authored Mar 22, 2012 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 3 deletions

aacdec.c libavcodec/aacdec.c +6 -3

No files found.
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -961,11 +961,11 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics,
        if (ics->predictor_present) {
            if (ac->m4ac.object_type == AOT_AAC_MAIN) {
                if (decode_prediction(ac, ics, gb)) {
-                    return AVERROR_INVALIDDATA;
+                    goto fail;
                }
            } else if (ac->m4ac.object_type == AOT_AAC_LC) {
                av_log(ac->avctx, AV_LOG_ERROR, "Prediction is not allowed in AAC-LC.\n");
-                return AVERROR_INVALIDDATA;
+                goto fail;
            } else {
                if ((ics->ltp.present = get_bits(gb, 1)))
                    decode_ltp(ac, &ics->ltp, gb, ics->max_sfb);
@@ -977,10 +977,13 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics,
        av_log(ac->avctx, AV_LOG_ERROR,
               "Number of scalefactor bands in group (%d) exceeds limit (%d).\n",
               ics->max_sfb, ics->num_swb);
-        return AVERROR_INVALIDDATA;
+        goto fail;
    }

    return 0;
+fail:
+    ics->max_sfb = 0;
+    return AVERROR_INVALIDDATA;
 }

 /**