Add tighter sanity checks in CBlock_GetEscape

We can't read 31 bits of value here, since that would place the topmost bit in the sign bit. Fixes: 3480/clusterfuzz-testcase-4573445423628288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
author: Martin Storsjo <martin@martin.st> 2017-10-20 15:36:53 +0300
committer: Martin Storsjo <martin@martin.st> 2017-10-20 16:33:25 +0300
commit: c366b3db8fd78013edc5968df8507473b6fa71e6 (patch)
tree: 76921c37bc9dc98b9e4e097a3ce4a95e1550431d
parent: e2e35b82738dc9d5e5229477d49d557cadad4dc7 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/libAACdec/src/block.cpp b/libAACdec/src/block.cpp
index bda565c..8bee2d4 100644
--- a/libAACdec/src/block.cpp
+++ b/libAACdec/src/block.cpp
@@ -138,7 +138,7 @@ LONG CBlock_GetEscape(HANDLE_FDK_BITSTREAM bs, /*!< pointer to bitstream */
 
   if (i > 16)
   {
-    if (i - 16 > CACHE_BITS) { /* cannot read more than "CACHE_BITS" bits at once in the function FDKreadBits() */
+    if (i >= 31) { /* (1 << i) will shift into the sign bit if i >= 31 */
       return (MAX_QUANTIZED_VALUE + 1); /* returning invalid value that will be captured later */
     }
author	Martin Storsjo <martin@martin.st>	2017-10-20 15:36:53 +0300
committer	Martin Storsjo <martin@martin.st>	2017-10-20 16:33:25 +0300
commit	c366b3db8fd78013edc5968df8507473b6fa71e6 (patch)
tree	76921c37bc9dc98b9e4e097a3ce4a95e1550431d
parent	e2e35b82738dc9d5e5229477d49d557cadad4dc7 (diff)