1. ffmpeg
  2. Commit 014dee89d00fdf474740fbb5cbcdf07cca8aaa9c
Browse code

avcodec: fix aac/ac3 parser bitstream buffer size

Buffers containing copies of the AAC and AC3 header bits were not padded
before parsing, violating init_get_bits() buffer padding requirement,
leading to potential buffer read overflows.
This change adds FF_INPUT_BUFFER_PADDING_SIZE bytes to the bit buffer
for parsing the header in each of aac_parser.c and ac3_parser.c.

Based on patch by: Matt Wolenetz <wolenetz@chromium.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fccd85b9f30525f88692f53134eba41f1f2d90db)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Michael Niedermayer authored on 2014/08/22 08:15:57
Showing 2 changed files
libavcodec/aac_parser.c
History View file @ 014dee8
... ... 
@@ -34,7 +34,7 @@ static int aac_sync(uint64_t state, AACAC3ParseContext *hdr_info,
34 34 
     int size;
35 35 
     union {
36 36 
         uint64_t u64;
37 
-        uint8_t  u8[8];
37 
+        uint8_t  u8[8 + FF_INPUT_BUFFER_PADDING_SIZE];
38 38 
     } tmp;
39 39
40 40 
     tmp.u64 = av_be2ne64(state);
libavcodec/ac3_parser.c
History View file @ 014dee8
... ... 
@@ -166,7 +166,7 @@ static int ac3_sync(uint64_t state, AACAC3ParseContext *hdr_info,
166 166 
     int err;
167 167 
     union {
168 168 
         uint64_t u64;
169 
-        uint8_t  u8[8];
169 
+        uint8_t  u8[8 + FF_INPUT_BUFFER_PADDING_SIZE];
170 170 
     } tmp = { av_be2ne64(state) };
171 171 
     AC3HeaderInfo hdr, *phdr = &hdr;
172 172 
     GetBitContext gbc;