From: Michael Niedermayer Date: Tue, 30 Jun 2015 22:05:43 +0000 (+0200) Subject: avcodec/aacsbr: check that the element type matches before applying SBR X-Git-Tag: archive/raspbian/6%11.12-1_deb8u4+rpi1^2~34 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=92a5715a440a2cb385194aa3830c027d453aabe1;p=libav.git avcodec/aacsbr: check that the element type matches before applying SBR avcodec/aacsbr: check that the element type matches before applying SBR Fixes out of array access Fixes: signal_sigsegv_3670fc0_2818_cov_2307326154_moon.mux Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer Gbp-Pq: Name CVE-2015-6820.patch --- diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c index 20c7e93..d87dbed 100644 --- a/libavcodec/aacsbr.c +++ b/libavcodec/aacsbr.c @@ -1006,6 +1006,8 @@ static unsigned int read_sbr_data(AACContext *ac, SpectralBandReplication *sbr, { unsigned int cnt = get_bits_count(gb); + sbr->id_aac = id_aac; + if (id_aac == TYPE_SCE || id_aac == TYPE_CCE) { if (read_sbr_single_channel_element(ac, sbr, gb)) { sbr_turnoff(sbr); @@ -1658,6 +1660,12 @@ void ff_sbr_apply(AACContext *ac, SpectralBandReplication *sbr, int id_aac, int nch = (id_aac == TYPE_CPE) ? 2 : 1; int err; + if (id_aac != sbr->id_aac) { + av_log(ac->avctx, AV_LOG_ERROR, + "element type mismatch %d != %d\n", id_aac, sbr->id_aac); + sbr_turnoff(sbr); + } + if (!sbr->kx_and_m_pushed) { sbr->kx[0] = sbr->kx[1]; sbr->m[0] = sbr->m[1]; diff --git a/libavcodec/sbr.h b/libavcodec/sbr.h index a47ad6e..955d4fa 100644 --- a/libavcodec/sbr.h +++ b/libavcodec/sbr.h @@ -114,6 +114,7 @@ typedef struct SBRData { typedef struct SpectralBandReplication { int sample_rate; int start; + int id_aac; int reset; SpectrumParameters spectrum_params; int bs_amp_res_header;