From ed1d112931776f40c5fc759204b79c78dfee5f9a Mon Sep 17 00:00:00 2001
From: Alex Converse <alex.converse@gmail.com>
Date: Tue, 9 Mar 2010 10:25:42 +0000
Subject: [PATCH] aacsbr: Fail early on illegal envelope counts.

Originally committed as revision 22381 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavcodec/aacsbr.c | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c
index a093dcf0068..e6832d93cbd 100644
--- a/libavcodec/aacsbr.c
+++ b/libavcodec/aacsbr.c
@@ -628,6 +628,13 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr,
         if (ch_data->bs_num_env[1] == 1)
             ch_data->bs_amp_res = 0;
 
+        if (ch_data->bs_num_env[1] > 4) {
+            av_log(ac->avccontext, AV_LOG_ERROR,
+                   "Invalid bitstream, too many SBR envelopes in FIXFIX type SBR frame: %d\n",
+                   ch_data->bs_num_env[1]);
+            return -1;
+        }
+
         ch_data->bs_pointer = 0;
 
         ch_data->bs_freq_res[1] = get_bits1(gb);
@@ -666,6 +673,13 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr,
         ch_data->bs_num_rel[1]  = get_bits(gb, 2);
         ch_data->bs_num_env[1]  = ch_data->bs_num_rel[0] + ch_data->bs_num_rel[1] + 1;
 
+        if (ch_data->bs_num_env[1] > 5) {
+            av_log(ac->avccontext, AV_LOG_ERROR,
+                   "Invalid bitstream, too many SBR envelopes in VARVAR type SBR frame: %d\n",
+                   ch_data->bs_num_env[1]);
+            return -1;
+        }
+
         for (i = 0; i < ch_data->bs_num_rel[0]; i++)
             ch_data->bs_rel_bord[0][i] = 2 * get_bits(gb, 2) + 2;
         for (i = 0; i < ch_data->bs_num_rel[1]; i++)
@@ -683,18 +697,6 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr,
                ch_data->bs_pointer);
         return -1;
     }
-    if (ch_data->bs_frame_class == FIXFIX && ch_data->bs_num_env[1] > 4) {
-        av_log(ac->avccontext, AV_LOG_ERROR,
-               "Invalid bitstream, too many SBR envelopes in FIXFIX type SBR frame: %d\n",
-               ch_data->bs_num_env[1]);
-        return -1;
-    }
-    if (ch_data->bs_frame_class == VARVAR && ch_data->bs_num_env[1] > 5) {
-        av_log(ac->avccontext, AV_LOG_ERROR,
-               "Invalid bitstream, too many SBR envelopes in VARVAR type SBR frame: %d\n",
-               ch_data->bs_num_env[1]);
-        return -1;
-    }
 
     ch_data->bs_num_noise = (ch_data->bs_num_env[1] > 1) + 1;
 
-- 
GitLab