Reapply: Avoid reading out of bounds due to too large aaIidIndexMapped

mstorsjo · mstorsjo · commit 9c3da1abb29c · 2018-10-16T09:45:46.000+03:00
Fixes: 10726/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBFDK_AAC_fuzzer-5167035365982208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
diff --git a/libSBRdec/src/psdec.cpp b/libSBRdec/src/psdec.cpp
@@ -325,7 +325,7 @@ void initSlotBasedRotation(
     int env, int usb) {
   INT group = 0;
   INT bin = 0;
-  INT noIidSteps;
+  INT noIidSteps, noFactors;
 
   FIXP_SGL invL;
   FIXP_DBL ScaleL, ScaleR;
@@ -337,9 +337,11 @@ void initSlotBasedRotation(
   if (h_ps_d->bsData[h_ps_d->processSlot].mpeg.bFineIidQ) {
     PScaleFactors = ScaleFactorsFine; /* values are shiftet right by one */
     noIidSteps = NO_IID_STEPS_FINE;
+    noFactors = NO_IID_LEVELS_FINE;
   } else {
     PScaleFactors = ScaleFactors; /* values are shiftet right by one */
     noIidSteps = NO_IID_STEPS;
+    noFactors = NO_IID_LEVELS;
   }
 
   /* dequantize and decode */
@@ -358,10 +360,13 @@ void initSlotBasedRotation(
 
     /* ScaleR and ScaleL are scaled by 1 shift right */
 
-    ScaleR = PScaleFactors[noIidSteps + h_ps_d->specificTo.mpeg.pCoef
-                                            ->aaIidIndexMapped[env][bin]];
-    ScaleL = PScaleFactors[noIidSteps - h_ps_d->specificTo.mpeg.pCoef
-                                            ->aaIidIndexMapped[env][bin]];
+    ScaleL = ScaleR = 0;
+    if (noIidSteps + h_ps_d->specificTo.mpeg.pCoef->aaIidIndexMapped[env][bin] >= 0 && noIidSteps + h_ps_d->specificTo.mpeg.pCoef->aaIidIndexMapped[env][bin] < noFactors)
+      ScaleR = PScaleFactors[noIidSteps + h_ps_d->specificTo.mpeg.pCoef
+                                              ->aaIidIndexMapped[env][bin]];
+    if (noIidSteps - h_ps_d->specificTo.mpeg.pCoef->aaIidIndexMapped[env][bin] >= 0 && noIidSteps - h_ps_d->specificTo.mpeg.pCoef->aaIidIndexMapped[env][bin] < noFactors)
+      ScaleL = PScaleFactors[noIidSteps - h_ps_d->specificTo.mpeg.pCoef
+                                              ->aaIidIndexMapped[env][bin]];
 
     AlphasValue = 0;
     if (h_ps_d->specificTo.mpeg.pCoef->aaIccIndexMapped[env][bin] >= 0)
