Buffers containing copies of the AAC and AC3 header bits were not padded
before parsing, violating init_get_bits() buffer padding requirement,
leading to potential buffer read overflows.
This change adds FF_INPUT_BUFFER_PADDING_SIZE bytes to the bit buffer
for parsing the header in each of aac_parser.c and ac3_parser.c.
Based on patch by: Matt Wolenetz <wolenetz@chromium.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit
fccd85b9f30525f88692f53134eba41f1f2d90db)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
int size;
union {
uint64_t u64;
- uint8_t u8[8];
+ uint8_t u8[8 + FF_INPUT_BUFFER_PADDING_SIZE];
} tmp;
tmp.u64 = av_be2ne64(state);
int err;
union {
uint64_t u64;
- uint8_t u8[8];
+ uint8_t u8[8 + FF_INPUT_BUFFER_PADDING_SIZE];
} tmp = { av_be2ne64(state) };
AC3HeaderInfo hdr;
GetBitContext gbc;