From 5236ded2ef20db3dd5ef63a2e78f50745c4e879c Mon Sep 17 00:00:00 2001
From: Thomas Lange <thomas-lange2@gmx.de>
Date: Wed, 31 Jan 2024 01:05:28 +0100
Subject: [PATCH] aac: Avoid crash with corrupt files

NeAACDecInit() returns -1 in case of an error.
Subtracting -1 actually increases the buflen by 1,
resulting in a buffer overflow in memmove().

See also: https://github.com/orgs/audacious-media-player/discussions/109
---
 src/aac/aac.cc | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/aac/aac.cc b/src/aac/aac.cc
index 8cf94d222c..72a0b57099 100644
--- a/src/aac/aac.cc
+++ b/src/aac/aac.cc
@@ -319,7 +319,14 @@ static void aac_seek (VFSFile & file, NeAACDecHandle dec, int time, int len,
     unsigned char chan;
     unsigned long rate;
 
-    if ((used = NeAACDecInit (dec, (unsigned char *) buf, * buflen, & rate, & chan)))
+    if ((used = NeAACDecInit (dec, (unsigned char *) buf, * buflen, & rate, & chan)) < 0)
+    {
+        AUDERR ("Failed to initialize AAC decoder.\n");
+        * buflen = 0;
+        return;
+    }
+
+    if (used)
     {
         * buflen -= used;
         memmove (buf, (char *) buf + used, * buflen);
@@ -388,7 +395,13 @@ bool AACDecoder::play (const char * filename, VFSFile & file)
 
     /* == START DECODING == */
 
-    if ((used = NeAACDecInit (decoder, buf, buflen, & samplerate, & channels)))
+    if ((used = NeAACDecInit (decoder, buf, buflen, & samplerate, & channels)) < 0)
+    {
+        AUDERR ("Failed to initialize AAC decoder.\n");
+        goto ERR_CLOSE_DECODER;
+    }
+
+    if (used)
     {
         buflen -= used;
         memmove (buf, buf + used, buflen);