shithub: opus

Info • Files • Log • Branches

ref: 9345aaa5ca1c2fb7d62981b2a538e0ce20612c38
parent: b05aa1dd763fe238c6e928385664e86bd66118e7
author: Jean-Marc Valin <[email protected]>
date: Fri Nov 30 12:36:36 EST 2012

Fixes an out-of-bounds read issue with the padding handling code

This was reported by Juri Aedla and is limited to reading memory up
to about 60 kB beyond the compressed buffer. This can only be triggered
by a compressed packet more than about 16 MB long, so it's not a problem
for RTP. In theory, it *could* crash an Ogg decoder if the memory just after
the incoming packet is out-of-range.

--- a/src/opus_decoder.c

+++ b/src/opus_decoder.c

@@ -641,7 +641,6 @@

       /* Padding flag is bit 6 */

       if (ch&0x40)

-         int padding=0;

          int p;

          do {

             if (len<=0)

@@ -648,9 +647,8 @@

                return OPUS_INVALID_PACKET;

             p = *data++;

             len--;

-            padding += p==255 ? 254: p;

+            len -= p==255 ? 254: p;

          } while (p==255);

-         len -= padding;

       if (len<0)

          return OPUS_INVALID_PACKET;