github-mirrors/FFmpeg
1
0
Fork 0
mirror of https://mirror.skon.top/https://github.com/FFmpeg/FFmpeg synced 2026-04-20 21:00:41 +08:00
Code Issues Packages Projects Releases Wiki Activity

avcodec/aac/aacdec_usac: Implement missing bits of otts_bands_phase and residual_bands computation

Browse Source 
Fixes: out of array access
Fixes: matejsmycka/poc.mp4

Introducing commit: `baad75cafa6bac298b72c177f657a2eb8e31cff1` — "aacdec_usac: add support for parsing Mpsp212 (MPEG surround)", 2025-11-17.

Found-by: Matěj Smyčka <matejsmycka@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2026-03-31 15:51:52 +02:00
committed by michaelni
parent 9c04a40136
commit ddcb9dd3b5
1 changed files with 14 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
libavcodec/aac/aacdec_usac.c
View File

@@ -218,6 +218,8 @@ static int decode_usac_element_pair(AACDecContext *ac,
if (!e->mps.freq_res)
return AVERROR_INVALIDDATA; /* value 0 is reserved */
int numBands = ((int[]){0,28,20,14,10,7,5,4})[e->mps.freq_res]; // ISO/IEC 23003-1:2007, 5.2, Table 39
e->mps.fixed_gain = get_bits(gb, 3); /* bsFixedGainDMX */
e->mps.temp_shape_config = get_bits(gb, 2); /* bsTempShapeConfig */
e->mps.decorr_config = get_bits(gb, 2); /* bsDecorrConfig */
@@ -225,12 +227,21 @@ static int decode_usac_element_pair(AACDecContext *ac,
e->mps.phase_coding = get_bits1(gb); /* bsPhaseCoding */
e->mps.otts_bands_phase_present = get_bits1(gb);
if (e->mps.otts_bands_phase_present) /* bsOttBandsPhasePresent */
e->mps.otts_bands_phase = get_bits(gb, 5); /* bsOttBandsPhase */
int otts_bands_phase = ((int[]){0,10,10,7,5,3,2,2})[e->mps.freq_res]; // Table 109 — Default value of bsOttBandsPhase
if (e->mps.otts_bands_phase_present) { /* bsOttBandsPhasePresent */
otts_bands_phase = get_bits(gb, 5); /* bsOttBandsPhase */
if (otts_bands_phase > numBands)
return AVERROR_INVALIDDATA;
}
e->mps.otts_bands_phase = otts_bands_phase;
e->mps.residual_coding = e->stereo_config_index >= 2; /* bsResidualCoding */
if (e->mps.residual_coding) {
e->mps.residual_bands = get_bits(gb, 5); /* bsResidualBands */
int residual_bands = get_bits(gb, 5); /* bsResidualBands */
if (residual_bands > numBands)
return AVERROR_INVALIDDATA;
e->mps.residual_bands = residual_bands;
e->mps.otts_bands_phase = FFMAX(e->mps.otts_bands_phase,
e->mps.residual_bands);
e->mps.pseudo_lr = get_bits1(gb); /* bsPseudoLr */