Skip to content

Commit

Permalink
Don't use enums for values read directly from the bitstream
Browse files Browse the repository at this point in the history
The enums don't cover all possible values read from the bitstream.

This fixes undefined behaviour sanitizer errors.

Fixes: 27647/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBFDK_AAC_fuzzer-5654559200116736
Fixes: 28193/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBFDK_AAC_fuzzer-4901213455515648

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
  • Loading branch information
mstorsjo committed Jan 14, 2021
1 parent 22cfdbb commit 0e7f351
Showing 1 changed file with 4 additions and 5 deletions.
9 changes: 4 additions & 5 deletions libMpegTPDec/src/tpdec_asc.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -1549,8 +1549,7 @@ static TRANSPORTDEC_ERROR extElementConfig(CSUsacExtElementConfig *extElement,
const AUDIO_OBJECT_TYPE aot) {
TRANSPORTDEC_ERROR ErrorStatus = TRANSPORTDEC_OK;

USAC_EXT_ELEMENT_TYPE usacExtElementType =
(USAC_EXT_ELEMENT_TYPE)escapedValue(hBs, 4, 8, 16);
int usacExtElementType = escapedValue(hBs, 4, 8, 16);

/* recurve extension elements which are invalid for USAC */
if (aot == AOT_USAC) {
Expand All @@ -1567,7 +1566,7 @@ static TRANSPORTDEC_ERROR extElementConfig(CSUsacExtElementConfig *extElement,
}
}

extElement->usacExtElementType = usacExtElementType;
extElement->usacExtElementType = (USAC_EXT_ELEMENT_TYPE)usacExtElementType;
int usacExtElementConfigLength = escapedValue(hBs, 4, 8, 16);
extElement->usacExtElementConfigLength = (USHORT)usacExtElementConfigLength;
INT bsAnchor;
Expand Down Expand Up @@ -1631,14 +1630,14 @@ static TRANSPORTDEC_ERROR configExtension(CSUsacConfig *usc,
TRANSPORTDEC_ERROR ErrorStatus = TRANSPORTDEC_OK;

int numConfigExtensions;
CONFIG_EXT_ID usacConfigExtType;
int usacConfigExtType;
int usacConfigExtLength;

numConfigExtensions = (int)escapedValue(hBs, 2, 4, 8) + 1;
for (int confExtIdx = 0; confExtIdx < numConfigExtensions; confExtIdx++) {
INT nbits;
int loudnessInfoSetConfigExtensionPosition = FDKgetValidBits(hBs);
usacConfigExtType = (CONFIG_EXT_ID)escapedValue(hBs, 4, 8, 16);
usacConfigExtType = escapedValue(hBs, 4, 8, 16);
usacConfigExtLength = (int)escapedValue(hBs, 4, 8, 16);

/* Start bit position of config extension */
Expand Down

0 comments on commit 0e7f351

Please sign in to comment.