Buffers containing copies of the AAC and AC3 header bits were not padded
before parsing, violating init_get_bits() buffer padding requirement,
leading to potential buffer read overflows.
This change adds FF_INPUT_BUFFER_PADDING_SIZE bytes to the bit buffer
for parsing the header in each of aac_parser.c and ac3_parser.c.
Based on patch by: Matt Wolenetz <wolenetz@chromium.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fccd85b9f30525f88692f53134eba41f1f2d90db)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
... | ... |
@@ -166,7 +166,7 @@ static int ac3_sync(uint64_t state, AACAC3ParseContext *hdr_info, |
166 | 166 |
int err; |
167 | 167 |
union { |
168 | 168 |
uint64_t u64; |
169 |
- uint8_t u8[8]; |
|
169 |
+ uint8_t u8[8 + FF_INPUT_BUFFER_PADDING_SIZE]; |
|
170 | 170 |
} tmp = { av_be2ne64(state) }; |
171 | 171 |
AC3HeaderInfo hdr, *phdr = &hdr; |
172 | 172 |
GetBitContext gbc; |