avcodec/aacps: Check border_position to be monotone

Fixes: runtime error: left shift of negative value -67108864
Fixes: 1738/clusterfuzz-testcase-minimized-6734814327603200
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c
index 48b595adbd7f3672d3f55b63404c81feb2e7e3b4..31e072dd498425dc041cd2df5edb4c3baf92ef2b 100644 (file)
--- a/libavcodec/aacps.c
+++ b/libavcodec/aacps.c
@@ -196,8 +196,13 @@ int AAC_RENAME(ff_ps_read_data)(AVCodecContext *avctx, GetBitContext *gb_host, P
 
     ps->border_position[0] = -1;
     if (ps->frame_class) {
-        for (e = 1; e <= ps->num_env; e++)
+        for (e = 1; e <= ps->num_env; e++) {
             ps->border_position[e] = get_bits(gb, 5);
+            if (ps->border_position[e] < ps->border_position[e-1]) {
+                av_log(avctx, AV_LOG_ERROR, "border_position non monotone.\n");
+                goto err;
+            }
+        }
     } else
         for (e = 1; e <= ps->num_env; e++)
             ps->border_position[e] = (e * numQMFSlots >> ff_log2_tab[ps->num_env]) - 1;