From cdce9e8025fff1dee2fd3d6bc28aebc0a330c5a0 Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Wed, 11 Mar 2015 19:25:00 +0000 Subject: [PATCH] aacsbr: Fix type for index variable Prevents unsigned overflow and variable truncation. Bug-Id: CID 603186 --- libavcodec/aacsbr.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c index 3da8a5b099..b389e10817 100644 --- a/libavcodec/aacsbr.c +++ b/libavcodec/aacsbr.c @@ -628,7 +628,7 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, GetBitContext *gb, SBRData *ch_data) { int i; - unsigned bs_pointer = 0; + int bs_pointer = 0; // frameLengthFlag ? 15 : 16; 960 sample length frames unsupported; this value is numTimeSlots int abs_bord_trail = 16; int num_rel_lead, num_rel_trail; @@ -721,7 +721,7 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, break; } - if (bs_pointer > ch_data->bs_num_env + 1) { + if (bs_pointer < 0 || bs_pointer > ch_data->bs_num_env + 1) { av_log(ac->avctx, AV_LOG_ERROR, "Invalid bitstream, bs_pointer points to a middle noise border outside the time borders table: %d\n", bs_pointer); @@ -740,7 +740,7 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, ch_data->t_q[0] = ch_data->t_env[0]; ch_data->t_q[ch_data->bs_num_noise] = ch_data->t_env[ch_data->bs_num_env]; if (ch_data->bs_num_noise > 1) { - unsigned int idx; + int idx; if (ch_data->bs_frame_class == FIXFIX) { idx = ch_data->bs_num_env >> 1; } else if (ch_data->bs_frame_class & 1) { // FIXVAR or VARVAR