From: Michael Niedermayer <michaelni@gmx.at>
Date: Thu, 22 Mar 2012 22:57:45 +0000 (+0100)
Subject: aacdec: reset max_sfb on invalid data.
X-Git-Tag: android-x86-4.4-r1~12839
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=5a4af049b1a84ee09aba3745678797fce82c4a1e;p=android-x86%2Fexternal-ffmpeg.git

aacdec: reset max_sfb on invalid data.

Fixes global out of array read.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---

diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c
index d91ee917d9..f0ed667944 100644
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -961,11 +961,11 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics,
         if (ics->predictor_present) {
             if (ac->m4ac.object_type == AOT_AAC_MAIN) {
                 if (decode_prediction(ac, ics, gb)) {
-                    return AVERROR_INVALIDDATA;
+                    goto fail;
                 }
             } else if (ac->m4ac.object_type == AOT_AAC_LC) {
                 av_log(ac->avctx, AV_LOG_ERROR, "Prediction is not allowed in AAC-LC.\n");
-                return AVERROR_INVALIDDATA;
+                goto fail;
             } else {
                 if ((ics->ltp.present = get_bits(gb, 1)))
                     decode_ltp(ac, &ics->ltp, gb, ics->max_sfb);
@@ -977,10 +977,13 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics,
         av_log(ac->avctx, AV_LOG_ERROR,
                "Number of scalefactor bands in group (%d) exceeds limit (%d).\n",
                ics->max_sfb, ics->num_swb);
-        return AVERROR_INVALIDDATA;
+        goto fail;
     }
 
     return 0;
+fail:
+    ics->max_sfb = 0;
+    return AVERROR_INVALIDDATA;
 }
 
 /**