prevent infinite loop and memcpy of negative amounts

fixes issue194

git-svn-id: file:///var/local/repositories/ffmpeg/trunk@10726 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b

diff --git a/libavcodec/aac_parser.c b/libavcodec/aac_parser.c
index d6cf2693fcaa47b126ac3fc771a6258cc0c5a484..ac806931ecef550ee263045efc3132159f18ea8f 100644 (file)
--- a/libavcodec/aac_parser.c
+++ b/libavcodec/aac_parser.c
@@ -67,6 +67,9 @@ static int aac_sync(const uint8_t *buf, int *channels, int *sample_rate,
     skip_bits1(&bits);          /* copyright_identification_bit */
     skip_bits1(&bits);          /* copyright_identification_start */
     size = get_bits(&bits, 13); /* aac_frame_length */
+    if(size < AAC_HEADER_SIZE)
+        return 0;
+
     skip_bits(&bits, 11);       /* adts_buffer_fullness */
     rdb = get_bits(&bits, 2);   /* number_of_raw_data_blocks_in_frame */
 

diff --git a/libavcodec/ac3_parser.c b/libavcodec/ac3_parser.c
index d97c86e01b0fbe29b99951cd999949d88ef9181b..034a0bdf268b3f6fbe9d9c58e6889c5ade82abe9 100644 (file)
--- a/libavcodec/ac3_parser.c
+++ b/libavcodec/ac3_parser.c
@@ -114,6 +114,9 @@ static int ac3_sync(const uint8_t *buf, int *channels, int *sample_rate,
             return 0;   /* Currently don't support additional streams */
 
         frmsiz = get_bits(&bits, 11) + 1;
+        if(frmsiz*2 < AC3_HEADER_SIZE)
+            return 0;
+
         fscod = get_bits(&bits, 2);
         if (fscod == 3) {
             fscod2 = get_bits(&bits, 2);