Commit b563afe6 authored by Carl Eugen Hoyos's avatar Carl Eugen Hoyos

Do not allow arbitrary packet size in aac decoder.

Fixes a crash with a file containing a 400MB packet reported in bug 420.
parent ac6e074f
...@@ -2665,6 +2665,9 @@ static int aac_decode_frame(AVCodecContext *avctx, void *data, ...@@ -2665,6 +2665,9 @@ static int aac_decode_frame(AVCodecContext *avctx, void *data,
if (ac->force_dmono_mode >= 0) if (ac->force_dmono_mode >= 0)
ac->dmono_mode = ac->force_dmono_mode; ac->dmono_mode = ac->force_dmono_mode;
if (INT_MAX / 8 <= buf_size)
return AVERROR_INVALIDDATA;
init_get_bits(&gb, buf, buf_size * 8); init_get_bits(&gb, buf, buf_size * 8);
if ((err = aac_decode_frame_int(avctx, data, got_frame_ptr, &gb, avpkt)) < 0) if ((err = aac_decode_frame_int(avctx, data, got_frame_ptr, &gb, avpkt)) < 0)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment