[FFmpeg-cvslog] avcodec/aacdec_template: Clear tns present flag on error
ffmpeg | branch: release/2.8 | Michael Niedermayer| Sat Sep 30 18:54:05 2017 +0200| [1ad7bbfd210d072a7f0fc3ee22b00a8e665a65dc] | committer: Michael Niedermayer avcodec/aacdec_template: Clear tns present flag on error Fixes: 3444/clusterfuzz-testcase-minimized-6270352105668608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dcf9bae4a93f54cb5767bc97db4a809efd396f8b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1ad7bbfd210d072a7f0fc3ee22b00a8e665a65dc --- libavcodec/aacdec_template.c | 44 1 file changed, 28 insertions(+), 16 deletions(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index aca553ecbd..1f87bb8ad1 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -1929,16 +1929,17 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce, global_gain = get_bits(gb, 8); if (!common_window && !scale_flag) { -if (decode_ics_info(ac, ics, gb) < 0) -return AVERROR_INVALIDDATA; +ret = decode_ics_info(ac, ics, gb); +if (ret < 0) +goto fail; } if ((ret = decode_band_types(ac, sce->band_type, sce->band_type_run_end, gb, ics)) < 0) -return ret; +goto fail; if ((ret = decode_scalefactors(ac, sce->sf, gb, global_gain, ics, sce->band_type, sce->band_type_run_end)) < 0) -return ret; +goto fail; pulse_present = 0; if (!scale_flag) { @@ -1946,37 +1947,48 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce, if (ics->window_sequence[0] == EIGHT_SHORT_SEQUENCE) { av_log(ac->avctx, AV_LOG_ERROR, "Pulse tool not allowed in eight short sequence.\n"); -return AVERROR_INVALIDDATA; +ret = AVERROR_INVALIDDATA; +goto fail; } if (decode_pulses(, gb, ics->swb_offset, ics->num_swb)) { av_log(ac->avctx, AV_LOG_ERROR, "Pulse data corrupt or invalid.\n"); -return AVERROR_INVALIDDATA; +ret = AVERROR_INVALIDDATA; +goto fail; } } tns->present = get_bits1(gb); -if (tns->present && !er_syntax) -if (decode_tns(ac, tns, gb, ics) < 0) -return AVERROR_INVALIDDATA; +if (tns->present && !er_syntax) { +ret = decode_tns(ac, tns, gb, ics); +if (ret < 0) +goto fail; +} if (!eld_syntax && get_bits1(gb)) { avpriv_request_sample(ac->avctx, "SSR"); -return AVERROR_PATCHWELCOME; +ret = AVERROR_PATCHWELCOME; +goto fail; } // I see no textual basis in the spec for this occurring after SSR gain // control, but this is what both reference and real implmentations do -if (tns->present && er_syntax) -if (decode_tns(ac, tns, gb, ics) < 0) -return AVERROR_INVALIDDATA; +if (tns->present && er_syntax) { +ret = decode_tns(ac, tns, gb, ics); +if (ret < 0) +goto fail; +} } -if (decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present, -, ics, sce->band_type) < 0) -return AVERROR_INVALIDDATA; +ret = decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present, +, ics, sce->band_type); +if (ret < 0) +goto fail; if (ac->oc[1].m4ac.object_type == AOT_AAC_MAIN && !common_window) apply_prediction(ac, sce); return 0; +fail: +tns->present = 0; +return ret; } /** ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacdec_template: Clear tns present flag on error
ffmpeg | branch: release/3.2 | Michael Niedermayer| Sat Sep 30 18:54:05 2017 +0200| [d9630deca42950ba5c2891ceb6a27877663a0c28] | committer: Michael Niedermayer avcodec/aacdec_template: Clear tns present flag on error Fixes: 3444/clusterfuzz-testcase-minimized-6270352105668608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dcf9bae4a93f54cb5767bc97db4a809efd396f8b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d9630deca42950ba5c2891ceb6a27877663a0c28 --- libavcodec/aacdec_template.c | 44 1 file changed, 28 insertions(+), 16 deletions(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index d6880c90db..e63324d87d 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -1945,16 +1945,17 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce, global_gain = get_bits(gb, 8); if (!common_window && !scale_flag) { -if (decode_ics_info(ac, ics, gb) < 0) -return AVERROR_INVALIDDATA; +ret = decode_ics_info(ac, ics, gb); +if (ret < 0) +goto fail; } if ((ret = decode_band_types(ac, sce->band_type, sce->band_type_run_end, gb, ics)) < 0) -return ret; +goto fail; if ((ret = decode_scalefactors(ac, sce->sf, gb, global_gain, ics, sce->band_type, sce->band_type_run_end)) < 0) -return ret; +goto fail; pulse_present = 0; if (!scale_flag) { @@ -1962,37 +1963,48 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce, if (ics->window_sequence[0] == EIGHT_SHORT_SEQUENCE) { av_log(ac->avctx, AV_LOG_ERROR, "Pulse tool not allowed in eight short sequence.\n"); -return AVERROR_INVALIDDATA; +ret = AVERROR_INVALIDDATA; +goto fail; } if (decode_pulses(, gb, ics->swb_offset, ics->num_swb)) { av_log(ac->avctx, AV_LOG_ERROR, "Pulse data corrupt or invalid.\n"); -return AVERROR_INVALIDDATA; +ret = AVERROR_INVALIDDATA; +goto fail; } } tns->present = get_bits1(gb); -if (tns->present && !er_syntax) -if (decode_tns(ac, tns, gb, ics) < 0) -return AVERROR_INVALIDDATA; +if (tns->present && !er_syntax) { +ret = decode_tns(ac, tns, gb, ics); +if (ret < 0) +goto fail; +} if (!eld_syntax && get_bits1(gb)) { avpriv_request_sample(ac->avctx, "SSR"); -return AVERROR_PATCHWELCOME; +ret = AVERROR_PATCHWELCOME; +goto fail; } // I see no textual basis in the spec for this occurring after SSR gain // control, but this is what both reference and real implmentations do -if (tns->present && er_syntax) -if (decode_tns(ac, tns, gb, ics) < 0) -return AVERROR_INVALIDDATA; +if (tns->present && er_syntax) { +ret = decode_tns(ac, tns, gb, ics); +if (ret < 0) +goto fail; +} } -if (decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present, -, ics, sce->band_type) < 0) -return AVERROR_INVALIDDATA; +ret = decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present, +, ics, sce->band_type); +if (ret < 0) +goto fail; if (ac->oc[1].m4ac.object_type == AOT_AAC_MAIN && !common_window) apply_prediction(ac, sce); return 0; +fail: +tns->present = 0; +return ret; } /** ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacdec_template: Clear tns present flag on error
ffmpeg | branch: release/3.0 | Michael Niedermayer| Sat Sep 30 18:54:05 2017 +0200| [d0e4c3410c90d9311009b6c7105d11d4abf45f7b] | committer: Michael Niedermayer avcodec/aacdec_template: Clear tns present flag on error Fixes: 3444/clusterfuzz-testcase-minimized-6270352105668608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dcf9bae4a93f54cb5767bc97db4a809efd396f8b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d0e4c3410c90d9311009b6c7105d11d4abf45f7b --- libavcodec/aacdec_template.c | 44 1 file changed, 28 insertions(+), 16 deletions(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 13a342784e..3cb8f32403 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -1941,16 +1941,17 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce, global_gain = get_bits(gb, 8); if (!common_window && !scale_flag) { -if (decode_ics_info(ac, ics, gb) < 0) -return AVERROR_INVALIDDATA; +ret = decode_ics_info(ac, ics, gb); +if (ret < 0) +goto fail; } if ((ret = decode_band_types(ac, sce->band_type, sce->band_type_run_end, gb, ics)) < 0) -return ret; +goto fail; if ((ret = decode_scalefactors(ac, sce->sf, gb, global_gain, ics, sce->band_type, sce->band_type_run_end)) < 0) -return ret; +goto fail; pulse_present = 0; if (!scale_flag) { @@ -1958,37 +1959,48 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce, if (ics->window_sequence[0] == EIGHT_SHORT_SEQUENCE) { av_log(ac->avctx, AV_LOG_ERROR, "Pulse tool not allowed in eight short sequence.\n"); -return AVERROR_INVALIDDATA; +ret = AVERROR_INVALIDDATA; +goto fail; } if (decode_pulses(, gb, ics->swb_offset, ics->num_swb)) { av_log(ac->avctx, AV_LOG_ERROR, "Pulse data corrupt or invalid.\n"); -return AVERROR_INVALIDDATA; +ret = AVERROR_INVALIDDATA; +goto fail; } } tns->present = get_bits1(gb); -if (tns->present && !er_syntax) -if (decode_tns(ac, tns, gb, ics) < 0) -return AVERROR_INVALIDDATA; +if (tns->present && !er_syntax) { +ret = decode_tns(ac, tns, gb, ics); +if (ret < 0) +goto fail; +} if (!eld_syntax && get_bits1(gb)) { avpriv_request_sample(ac->avctx, "SSR"); -return AVERROR_PATCHWELCOME; +ret = AVERROR_PATCHWELCOME; +goto fail; } // I see no textual basis in the spec for this occurring after SSR gain // control, but this is what both reference and real implmentations do -if (tns->present && er_syntax) -if (decode_tns(ac, tns, gb, ics) < 0) -return AVERROR_INVALIDDATA; +if (tns->present && er_syntax) { +ret = decode_tns(ac, tns, gb, ics); +if (ret < 0) +goto fail; +} } -if (decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present, -, ics, sce->band_type) < 0) -return AVERROR_INVALIDDATA; +ret = decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present, +, ics, sce->band_type); +if (ret < 0) +goto fail; if (ac->oc[1].m4ac.object_type == AOT_AAC_MAIN && !common_window) apply_prediction(ac, sce); return 0; +fail: +tns->present = 0; +return ret; } /** ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacdec_template: Clear tns present flag on error
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sat Sep 30 18:54:05 2017 +0200| [4768b30b5bdf02cbfa6235f167ed2246009ed6f4] | committer: Michael Niedermayer avcodec/aacdec_template: Clear tns present flag on error Fixes: 3444/clusterfuzz-testcase-minimized-6270352105668608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dcf9bae4a93f54cb5767bc97db4a809efd396f8b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4768b30b5bdf02cbfa6235f167ed2246009ed6f4 --- libavcodec/aacdec_template.c | 44 1 file changed, 28 insertions(+), 16 deletions(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index e6f0a36f61..6a93aed2e8 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -1967,16 +1967,17 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce, global_gain = get_bits(gb, 8); if (!common_window && !scale_flag) { -if (decode_ics_info(ac, ics, gb) < 0) -return AVERROR_INVALIDDATA; +ret = decode_ics_info(ac, ics, gb); +if (ret < 0) +goto fail; } if ((ret = decode_band_types(ac, sce->band_type, sce->band_type_run_end, gb, ics)) < 0) -return ret; +goto fail; if ((ret = decode_scalefactors(ac, sce->sf, gb, global_gain, ics, sce->band_type, sce->band_type_run_end)) < 0) -return ret; +goto fail; pulse_present = 0; if (!scale_flag) { @@ -1984,37 +1985,48 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce, if (ics->window_sequence[0] == EIGHT_SHORT_SEQUENCE) { av_log(ac->avctx, AV_LOG_ERROR, "Pulse tool not allowed in eight short sequence.\n"); -return AVERROR_INVALIDDATA; +ret = AVERROR_INVALIDDATA; +goto fail; } if (decode_pulses(, gb, ics->swb_offset, ics->num_swb)) { av_log(ac->avctx, AV_LOG_ERROR, "Pulse data corrupt or invalid.\n"); -return AVERROR_INVALIDDATA; +ret = AVERROR_INVALIDDATA; +goto fail; } } tns->present = get_bits1(gb); -if (tns->present && !er_syntax) -if (decode_tns(ac, tns, gb, ics) < 0) -return AVERROR_INVALIDDATA; +if (tns->present && !er_syntax) { +ret = decode_tns(ac, tns, gb, ics); +if (ret < 0) +goto fail; +} if (!eld_syntax && get_bits1(gb)) { avpriv_request_sample(ac->avctx, "SSR"); -return AVERROR_PATCHWELCOME; +ret = AVERROR_PATCHWELCOME; +goto fail; } // I see no textual basis in the spec for this occurring after SSR gain // control, but this is what both reference and real implmentations do -if (tns->present && er_syntax) -if (decode_tns(ac, tns, gb, ics) < 0) -return AVERROR_INVALIDDATA; +if (tns->present && er_syntax) { +ret = decode_tns(ac, tns, gb, ics); +if (ret < 0) +goto fail; +} } -if (decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present, -, ics, sce->band_type) < 0) -return AVERROR_INVALIDDATA; +ret = decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present, +, ics, sce->band_type); +if (ret < 0) +goto fail; if (ac->oc[1].m4ac.object_type == AOT_AAC_MAIN && !common_window) apply_prediction(ac, sce); return 0; +fail: +tns->present = 0; +return ret; } /** ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacdec_template: Clear tns present flag on error
ffmpeg | branch: master | Michael Niedermayer| Sat Sep 30 18:54:05 2017 +0200| [dcf9bae4a93f54cb5767bc97db4a809efd396f8b] | committer: Michael Niedermayer avcodec/aacdec_template: Clear tns present flag on error Fixes: 3444/clusterfuzz-testcase-minimized-6270352105668608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dcf9bae4a93f54cb5767bc97db4a809efd396f8b --- libavcodec/aacdec_template.c | 44 1 file changed, 28 insertions(+), 16 deletions(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 3558f1f550..082cc908d2 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -1999,16 +1999,17 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce, global_gain = get_bits(gb, 8); if (!common_window && !scale_flag) { -if (decode_ics_info(ac, ics, gb) < 0) -return AVERROR_INVALIDDATA; +ret = decode_ics_info(ac, ics, gb); +if (ret < 0) +goto fail; } if ((ret = decode_band_types(ac, sce->band_type, sce->band_type_run_end, gb, ics)) < 0) -return ret; +goto fail; if ((ret = decode_scalefactors(ac, sce->sf, gb, global_gain, ics, sce->band_type, sce->band_type_run_end)) < 0) -return ret; +goto fail; pulse_present = 0; if (!scale_flag) { @@ -2016,37 +2017,48 @@ static int decode_ics(AACContext *ac, SingleChannelElement *sce, if (ics->window_sequence[0] == EIGHT_SHORT_SEQUENCE) { av_log(ac->avctx, AV_LOG_ERROR, "Pulse tool not allowed in eight short sequence.\n"); -return AVERROR_INVALIDDATA; +ret = AVERROR_INVALIDDATA; +goto fail; } if (decode_pulses(, gb, ics->swb_offset, ics->num_swb)) { av_log(ac->avctx, AV_LOG_ERROR, "Pulse data corrupt or invalid.\n"); -return AVERROR_INVALIDDATA; +ret = AVERROR_INVALIDDATA; +goto fail; } } tns->present = get_bits1(gb); -if (tns->present && !er_syntax) -if (decode_tns(ac, tns, gb, ics) < 0) -return AVERROR_INVALIDDATA; +if (tns->present && !er_syntax) { +ret = decode_tns(ac, tns, gb, ics); +if (ret < 0) +goto fail; +} if (!eld_syntax && get_bits1(gb)) { avpriv_request_sample(ac->avctx, "SSR"); -return AVERROR_PATCHWELCOME; +ret = AVERROR_PATCHWELCOME; +goto fail; } // I see no textual basis in the spec for this occurring after SSR gain // control, but this is what both reference and real implmentations do -if (tns->present && er_syntax) -if (decode_tns(ac, tns, gb, ics) < 0) -return AVERROR_INVALIDDATA; +if (tns->present && er_syntax) { +ret = decode_tns(ac, tns, gb, ics); +if (ret < 0) +goto fail; +} } -if (decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present, -, ics, sce->band_type) < 0) -return AVERROR_INVALIDDATA; +ret = decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present, +, ics, sce->band_type); +if (ret < 0) +goto fail; if (ac->oc[1].m4ac.object_type == AOT_AAC_MAIN && !common_window) apply_prediction(ac, sce); return 0; +fail: +tns->present = 0; +return ret; } /** ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog