avcodec/aacdec: Fix pulse position checks in decode_pulses()

Fixes out of array read
Fixes: asan_static-oob_1efed25_1887_cov_2013541199_HeyYa_RA10_AAC_192K_30s.rm
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c
index 27f4b4c660b3f9da390eac7ca9c6829527ec87cc..a420c3643a9360bb5c80222d8fe547f8b68a442b 100644 (file)
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -1426,12 +1426,12 @@ static int decode_pulses(Pulse *pulse, GetBitContext *gb,
         return -1;
     pulse->pos[0]    = swb_offset[pulse_swb];
     pulse->pos[0]   += get_bits(gb, 5);
-    if (pulse->pos[0] > 1023)
+    if (pulse->pos[0] >= swb_offset[num_swb])
         return -1;
     pulse->amp[0]    = get_bits(gb, 4);
     for (i = 1; i < pulse->num_pulse; i++) {
         pulse->pos[i] = get_bits(gb, 5) + pulse->pos[i - 1];
-        if (pulse->pos[i] > 1023)
+        if (pulse->pos[i] >= swb_offset[num_swb])
             return -1;
         pulse->amp[i] = get_bits(gb, 4);
     }