avcodec/aacsbr: check that the element type matches before applying SBR

avcodec/aacsbr: check that the element type matches before applying SBR

Fixes out of array access
Fixes: signal_sigsegv_3670fc0_2818_cov_2307326154_moon.mux
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Gbp-Pq: Name CVE-2015-6820.patch

diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c
index 20c7e93819cdbd61ed7f0c35cbe4eb74bd14ddc8..d87dbedf4008147713aaf18d641c0e3744dcc8a2 100644 (file)
--- a/libavcodec/aacsbr.c
+++ b/libavcodec/aacsbr.c
@@ -1006,6 +1006,8 @@ static unsigned int read_sbr_data(AACContext *ac, SpectralBandReplication *sbr,
 {
     unsigned int cnt = get_bits_count(gb);
 
+    sbr->id_aac = id_aac;
+
     if (id_aac == TYPE_SCE || id_aac == TYPE_CCE) {
         if (read_sbr_single_channel_element(ac, sbr, gb)) {
             sbr_turnoff(sbr);
@@ -1658,6 +1660,12 @@ void ff_sbr_apply(AACContext *ac, SpectralBandReplication *sbr, int id_aac,
     int nch = (id_aac == TYPE_CPE) ? 2 : 1;
     int err;
 
+    if (id_aac != sbr->id_aac) {
+        av_log(ac->avctx, AV_LOG_ERROR,
+            "element type mismatch %d != %d\n", id_aac, sbr->id_aac);
+        sbr_turnoff(sbr);
+    }
+
     if (!sbr->kx_and_m_pushed) {
         sbr->kx[0] = sbr->kx[1];
         sbr->m[0] = sbr->m[1];

diff --git a/libavcodec/sbr.h b/libavcodec/sbr.h
index a47ad6eedb7151c2c3c8fc4b34dd7819d4dda491..955d4fa4557b66e411b303003c642bf5342ac3f5 100644 (file)
--- a/libavcodec/sbr.h
+++ b/libavcodec/sbr.h
@@ -114,6 +114,7 @@ typedef struct SBRData {
 typedef struct SpectralBandReplication {
     int                sample_rate;
     int                start;
+    int                id_aac;
     int                reset;
     SpectrumParameters spectrum_params;
     int                bs_amp_res_header;