From 8e27e0bd3004b41ebc61be9f8b19a0cb4787f39b Mon Sep 17 00:00:00 2001 From: Jean-Michel Trivi Date: Thu, 7 Mar 2019 12:52:29 -0800 Subject: AAC decoder: fix use of uninitialized value, check index Initialize aInterpolate int array in mapIndexData(). Prevent index from accessing OOB value. Bug: 120426980 Test: see bug Change-Id: Ib9f1b5e143802d3d662af36fedcae8bf47ff09bc --- libSACdec/src/sac_bitdec.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'libSACdec/src/sac_bitdec.cpp') diff --git a/libSACdec/src/sac_bitdec.cpp b/libSACdec/src/sac_bitdec.cpp index 883e1e8..a1bdca4 100644 --- a/libSACdec/src/sac_bitdec.cpp +++ b/libSACdec/src/sac_bitdec.cpp @@ -1457,7 +1457,7 @@ static SACDEC_ERROR mapIndexData( FIXP_DBL (*pOttVsTotDb1)[MAX_PARAMETER_SETS][MAX_PARAMETER_BANDS], FIXP_DBL (*pOttVsTotDb2)[MAX_PARAMETER_SETS][MAX_PARAMETER_BANDS]) { int aParamSlots[MAX_PARAMETER_SETS]; - int aInterpolate[MAX_PARAMETER_SETS]; + int aInterpolate[MAX_PARAMETER_SETS] = {0}; int dataSets; int aMap[MAX_PARAMETER_BANDS + 1]; @@ -1562,6 +1562,7 @@ static SACDEC_ERROR mapIndexData( i2 = i; while (aInterpolate[i2] == 1) { i2++; + if (i2 >= MAX_PARAMETER_SETS) return MPS_WRONG_PARAMETERSETS; } x1 = paramSlot[i1]; xi = paramSlot[i]; -- cgit v1.2.3 From 845febbb4aa8b81914a8d759536ec48f496d46a3 Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Fri, 12 Jun 2020 10:29:11 +0300 Subject: Don't store a value read directly from the bitstream in an enum In this case, the enum only has one single allowed value, while the bitstream can contain a number of different values. Don't load the unchecked value into an enum variable, because storing the disallowed values in the enum variable is undefined behaviour. Instead store it in an int, until the value has been verified to be the allowed one. This fixes undefined behaviour sanitizer errors. Fixes: 23192/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBFDK_AAC_fuzzer-5205702892322816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libSACdec/src/sac_bitdec.cpp | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'libSACdec/src/sac_bitdec.cpp') diff --git a/libSACdec/src/sac_bitdec.cpp b/libSACdec/src/sac_bitdec.cpp index a1bdca4..062eb1c 100644 --- a/libSACdec/src/sac_bitdec.cpp +++ b/libSACdec/src/sac_bitdec.cpp @@ -448,6 +448,7 @@ SACDEC_ERROR SpatialDecParseSpecificConfig( int bsFreqRes, b3DaudioMode = 0; int numHeaderBits; int cfgStartPos, bitsAvailable; + int treeConfig; FDKmemclear(pSpatialSpecificConfig, sizeof(SPATIAL_SPECIFIC_CONFIG)); @@ -488,13 +489,13 @@ SACDEC_ERROR SpatialDecParseSpecificConfig( pSpatialSpecificConfig->freqRes = (SPATIALDEC_FREQ_RES)freqResTable_LD[bsFreqRes]; - pSpatialSpecificConfig->treeConfig = - (SPATIALDEC_TREE_CONFIG)FDKreadBits(bitstream, 4); + treeConfig = FDKreadBits(bitstream, 4); - if (pSpatialSpecificConfig->treeConfig != SPATIALDEC_MODE_RSVD7) { + if (treeConfig != SPATIALDEC_MODE_RSVD7) { err = MPS_UNSUPPORTED_CONFIG; goto bail; } + pSpatialSpecificConfig->treeConfig = (SPATIALDEC_TREE_CONFIG) treeConfig; { pSpatialSpecificConfig->nOttBoxes = -- cgit v1.2.3