avcodec/aacdec: Fix integer overflow in argument to decode_audio_specific_config()

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/aacdec: Fix integer overflow in argument to decode_audio_specific_config()
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7f46a641 · Michael Niedermayer · 7ab1c57a · 7f46a641 · 7f46a641
Commit 7f46a641 authored Aug 02, 2015 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 5 deletions

aacdec.c libavcodec/aacdec.c +1 -1

aacdec_template.c libavcodec/aacdec_template.c +9 -4

No files found.
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -496,7 +496,7 @@ static int latm_decode_frame(AVCodecContext *avctx, void *out,
            push_output_configuration(&latmctx->aac_ctx);
            if ((err = decode_audio_specific_config(
                    &latmctx->aac_ctx, avctx, &latmctx->aac_ctx.oc[1].m4ac,
-                    avctx->extradata, avctx->extradata_size*8, 1)) < 0) {
+                    avctx->extradata, avctx->extradata_size*8LL, 1)) < 0) {
                pop_output_configuration(&latmctx->aac_ctx);
                return err;
            }

--- a/libavcodec/aacdec_template.c
+++ b/libavcodec/aacdec_template.c
@@ -940,13 +940,18 @@ static int decode_eld_specific_config(AACContext *ac, AVCodecContext *avctx,
 static int decode_audio_specific_config(AACContext *ac,
                                        AVCodecContext *avctx,
                                        MPEG4AudioConfig *m4ac,
-                                        const uint8_t *data, int bit_size,
+                                        const uint8_t *data, int64_t bit_size,
                                        int sync_extension)
 {
    GetBitContext gb;
    int i, ret;

-    ff_dlog(avctx, "audio specific config size %d\n", bit_size >> 3);
+    if (bit_size < 0 || bit_size > INT_MAX) {
+        av_log(avctx, AV_LOG_ERROR, "Audio specific config size is invalid\n");
+        return AVERROR_INVALIDDATA;
+    }
+
+    ff_dlog(avctx, "audio specific config size %d\n", (int)bit_size >> 3);
    for (i = 0; i < bit_size >> 3; i++)
        ff_dlog(avctx, "%02x ", data[i]);
    ff_dlog(avctx, "\n");
@@ -1076,7 +1081,7 @@ static av_cold int aac_decode_init(AVCodecContext *avctx)
    if (avctx->extradata_size > 0) {
        if ((ret = decode_audio_specific_config(ac, ac->avctx, &ac->oc[1].m4ac,
                                                avctx->extradata,
-                                                avctx->extradata_size * 8,
+                                                avctx->extradata_size * 8LL,
                                                1)) < 0)
            return ret;
    } else {
@@ -3107,7 +3112,7 @@ static int aac_decode_frame(AVCodecContext *avctx, void *data,
        push_output_configuration(ac);
        if (decode_audio_specific_config(ac, ac->avctx, &ac->oc[1].m4ac,
                                         avctx->extradata,
-                                         avctx->extradata_size*8, 1) < 0) {
+                                         avctx->extradata_size*8LL, 1) < 0) {
            pop_output_configuration(ac);
            return AVERROR_INVALIDDATA;
        }