From f1f8e002622196de3aa650163e5dc2888ebc7a63 Mon Sep 17 00:00:00 2001 From: Fabian Greffrath Date: Mon, 10 Jun 2019 13:59:49 +0200 Subject: [PATCH] add patch to prevent crash on SCE followed by CPE hDecoder->element_alloced denotes whether or not we have allocated memory for usage in terms of the specified channel element. Given that it previously only had two states (1 meaning allocated, and 0 meaning not allocated), it would not allocate enough memory for parsing a CPE it if is preceeded by a SCE (and therefor crash). These changes fixes the issue by making sure that we allocate additional memory if so is necessary, and the set of values for hDecoder->element_alloced[n] is now: 0 = nothing allocated 1 = allocated enough for SCE 2 = allocated enough for CPE All branches that depend on hDecoder->element_alloced[n] prior to this patch only checks if the value is, or is not, zero. The added state, 2, is therefor correctly handled automatically. https://github.com/videolan/vlc/blob/master/contrib/src/faad2/faad2-fix-cpe-reconstruction.patch Signed-off-by: Baruch Siach --- Upstream status: commit f1f8e002622196d libfaad/specrec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libfaad/specrec.c b/libfaad/specrec.c index 9797d6e79468..0e72207fc9c0 100644 --- a/libfaad/specrec.c +++ b/libfaad/specrec.c @@ -1109,13 +1109,13 @@ uint8_t reconstruct_channel_pair(NeAACDecStruct *hDecoder, ic_stream *ics1, ic_s #ifdef PROFILE int64_t count = faad_get_ts(); #endif - if (hDecoder->element_alloced[hDecoder->fr_ch_ele] == 0) + if (hDecoder->element_alloced[hDecoder->fr_ch_ele] != 2) { retval = allocate_channel_pair(hDecoder, cpe->channel, (uint8_t)cpe->paired_channel); if (retval > 0) return retval; - hDecoder->element_alloced[hDecoder->fr_ch_ele] = 1; + hDecoder->element_alloced[hDecoder->fr_ch_ele] = 2; } /* dequantisation and scaling */ -- 2.20.1