}
/* NOTE: this offset is the same as MPEG4 AAC ! */
last_exp += code - 60;
- if ((unsigned)last_exp + 60 > FF_ARRAY_ELEMS(pow_tab)) {
+ if ((unsigned)last_exp + 60 >= FF_ARRAY_ELEMS(pow_tab)) {
av_log(s->avctx, AV_LOG_ERROR, "Exponent out of range: %d\n",
last_exp);
return -1;
if (s->use_bit_reservoir) {
bit_offset = get_bits(&s->gb, s->byte_offset_bits + 3);
+ if (bit_offset > get_bits_left(&s->gb)) {
+ av_log(avctx, AV_LOG_ERROR,
+ "Invalid last frame bit offset %d > buf size %d (%d)\n",
+ bit_offset, get_bits_left(&s->gb), buf_size);
+ goto fail;
+ }
if (s->last_superframe_len > 0) {
// printf("skip=%d\n", s->last_bitoffset);
if (len > 0) {
*q++ = (get_bits)(&s->gb, len) << (8 - len);
}
+ memset(q, 0, FF_INPUT_BUFFER_PADDING_SIZE);
/* XXX: bit_offset bits into last frame */
- init_get_bits(&s->gb, s->last_superframe, MAX_CODED_SUPERFRAME_SIZE*8);
+ init_get_bits(&s->gb, s->last_superframe, s->last_superframe_len * 8 + bit_offset);
/* skip unused bits */
if (s->last_bitoffset > 0)
skip_bits(&s->gb, s->last_bitoffset);
/* read each frame starting from bit_offset */
pos = bit_offset + 4 + 4 + s->byte_offset_bits + 3;
- if (pos >= MAX_CODED_SUPERFRAME_SIZE * 8)
+ if (pos >= MAX_CODED_SUPERFRAME_SIZE * 8 || pos > buf_size * 8)
return AVERROR_INVALIDDATA;
- init_get_bits(&s->gb, buf + (pos >> 3), (MAX_CODED_SUPERFRAME_SIZE - (pos >> 3))*8);
+ init_get_bits(&s->gb, buf + (pos >> 3), (buf_size - (pos >> 3))*8);
len = pos & 7;
if (len > 0)
skip_bits(&s->gb, len);
projects / ffmpeg / blobdiff