prevent infinite loop and memcpy of negative amounts

fixes issue194 Originally committed as revision 10726 to svn://svn.ffmpeg.org/ffmpeg/trunk

prevent infinite loop and memcpy of negative amounts
4d570f94 · Michael Niedermayer · 972c5f9e · 4d570f94 · 4d570f94
Commit 4d570f94 authored 17 years ago by Michael Niedermayer
--- a/libavcodec/aac_parser.c
+++ b/libavcodec/aac_parser.c
@@ -67,6 +67,9 @@ static int aac_sync(const uint8_t *buf, int *channels, int *sample_rate,
    skip_bits1(&bits);          /* copyright_identification_bit */
    skip_bits1(&bits);          /* copyright_identification_start */
    size = get_bits(&bits, 13); /* aac_frame_length */
+    if(size < AAC_HEADER_SIZE)
+        return 0;
+
    skip_bits(&bits, 11);       /* adts_buffer_fullness */
    rdb = get_bits(&bits, 2);   /* number_of_raw_data_blocks_in_frame */


--- a/libavcodec/ac3_parser.c
+++ b/libavcodec/ac3_parser.c
@@ -114,6 +114,9 @@ static int ac3_sync(const uint8_t *buf, int *channels, int *sample_rate,
            return 0;   /* Currently don't support additional streams */

        frmsiz = get_bits(&bits, 11) + 1;
+        if(frmsiz*2 < AC3_HEADER_SIZE)
+            return 0;
+
        fscod = get_bits(&bits, 2);
        if (fscod == 3) {
            fscod2 = get_bits(&bits, 2);