diff options
author | ShashankPathmudi <146080254+ShashankPathmudi@users.noreply.github.com> | 2023-12-29 17:16:17 +0530 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-12-29 17:16:17 +0530 |
commit | 59ab6ada33b59f40b385a229298b40cc6f903db5 (patch) | |
tree | b25a77be6bbea62195afb00521b7949c2349941d | |
parent | 1ce177ea0eba8bd56c22131e53df102ddf9fd6fe (diff) | |
download | libxaac-59ab6ada33b59f40b385a229298b40cc6f903db5.tar.gz |
Fix for global buffer overflow in MPS module (#74)
-rw-r--r-- | decoder/ixheaacd_mps_bitdec.c | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/decoder/ixheaacd_mps_bitdec.c b/decoder/ixheaacd_mps_bitdec.c index d8a10e4..76d2e32 100644 --- a/decoder/ixheaacd_mps_bitdec.c +++ b/decoder/ixheaacd_mps_bitdec.c @@ -511,6 +511,26 @@ static IA_ERRORCODE ixheaacd_ec_data_dec(ia_heaac_mps_state_struct *pstr_mps_sta (!frame->bs_independency_flag || (set_idx > 0)), 0, 1, pstr_mps_state->ec_flag); if (error_code != IA_NO_ERROR) return error_code; + if (datatype == CLD) { + WORD32 band; + for (i = 0; i < pstr_mps_state->num_parameter_sets; i++) { + for (band = start_band; band < stop_band; band++) { + if (data[box_idx][i][band] > 15 || data[box_idx][i][band] < -15) { + return IA_FATAL_ERROR; + } + } + } + } else if (datatype == ICC) { + WORD32 band; + for (i = 0; i < pstr_mps_state->num_parameter_sets; i++) { + for (band = start_band; band < stop_band; band++) { + if (data[box_idx][i][band] > 7 || data[box_idx][i][band] < 0) { + return IA_FATAL_ERROR; + } + } + } + } + for (pb = 0; pb < data_bands; pb++) { for (i = a_strides[pb]; i < a_strides[pb + 1]; i++) { lastdata[box_idx][i] = data[box_idx][set_idx + bs_data_pair][start_band + pb]; |