aac: fix infinite loop on end-of-frame with sequence of 1-bits.

Based-on-work-by: Ronald S. Bultje <rsbultje@gmail.com> Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 1cd9a6154b) Signed-off-by: Anton Khirnov <anton@khirnov.net>
2012-02-22 11:05:42 -08:00
parent ad0ee682b3
commit 683213230e
1 changed files with 13 additions and 12 deletions
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -807,19 +807,20 @@ static int decode_band_types(AACContext *ac, enum BandType band_type[120],
                av_log(ac->avctx, AV_LOG_ERROR, "invalid band type\n");
                return -1;
            }
-            while ((sect_len_incr = get_bits(gb, bits)) == (1 << bits) - 1)
+            do {
+                sect_len_incr = get_bits(gb, bits);
                sect_end += sect_len_incr;
-            sect_end += sect_len_incr;
-            if (get_bits_left(gb) < 0) {
-                av_log(ac->avctx, AV_LOG_ERROR, overread_err);
-                return -1;
-            }
-            if (sect_end > ics->max_sfb) {
-                av_log(ac->avctx, AV_LOG_ERROR,
-                       "Number of bands (%d) exceeds limit (%d).\n",
-                       sect_end, ics->max_sfb);
-                return -1;
-            }
+                if (get_bits_left(gb) < 0) {
+                    av_log(ac->avctx, AV_LOG_ERROR, overread_err);
+                    return -1;
+                }
+                if (sect_end > ics->max_sfb) {
+                    av_log(ac->avctx, AV_LOG_ERROR,
+                           "Number of bands (%d) exceeds limit (%d).\n",
+                           sect_end, ics->max_sfb);
+                    return -1;
+                }
+            } while (sect_len_incr == (1 << bits) - 1);
            for (; k < sect_end; k++) {
                band_type        [idx]   = sect_band_type;
                band_type_run_end[idx++] = sect_end;