Make sure to end all CRC regions in the right order

This fixes assert failures, when a (corrupt/fuzzed) bitstream
doesn't trigger starting/ending CRCs properly (or when decoding
is aborted halfway when an error is encountered). Skipping ending
a CRC region doesn't trigger an assert failure, but when a later
CRC region is started and ended, an assert fails when the end
doesn't match the expected CRC region.

Fixes: 1928/clusterfuzz-testcase-minimized-6480505958563840

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg

1 files changed, 16 insertions, 1 deletions

diff --git a/libAACdec/src/channel.cpp b/libAACdec/src/channel.cpp
index 5475079..4b182e0 100644
--- a/libAACdec/src/channel.cpp
+++ b/libAACdec/src/channel.cpp
@@ -411,11 +411,15 @@ AAC_DECODER_ERROR CChannelElement_Read(HANDLE_FDK_BITSTREAM hBs,
     case drmcrc_end_reg:
       if (pTpDec != NULL) {
         transportDec_CrcEndReg(pTpDec, crcReg1);
+        crcReg1 = -1;
       }
       break;
     case adtscrc_end_reg2:
-      if (pTpDec != NULL) {
+      if (crcReg1 != -1) {
+        error = AAC_DEC_DECODE_FRAME_ERROR;
+      } else if (pTpDec != NULL) {
         transportDec_CrcEndReg(pTpDec, crcReg2);
+        crcReg2 = -1;
       }
       break;
     case drmcrc_start_reg:
@@ -447,5 +451,16 @@ AAC_DECODER_ERROR CChannelElement_Read(HANDLE_FDK_BITSTREAM hBs,
   } while (list->id[i] != end_of_sequence);
 
 bail:
+  if (crcReg1 != -1 || crcReg2 != -1) {
+    if (error == AAC_DEC_OK) {
+      error = AAC_DEC_DECODE_FRAME_ERROR;
+    }
+    if (crcReg1 != -1) {
+      transportDec_CrcEndReg(pTpDec, crcReg1);
+    }
+    if (crcReg2 != -1) {
+      transportDec_CrcEndReg(pTpDec, crcReg2);
+    }
+  }
   return error;
 }