ref: a11795c47e16945b1f07a87a4a910c98d000d86c
parent: af1f538573c8db589c5c28afad033e36297425a8
author: Timothy B. Terriberry <[email protected]>
date: Tue May 10 06:54:12 EDT 2011
Reject more invalid packets in the decoder. Code 3 packets with 0 frames are now invalid, and any packet with a frame larger than 1275 bytes is invalid (to allow for repacketization).
--- a/src/opus_decoder.c
+++ b/src/opus_decoder.c
@@ -39,6 +39,8 @@
#include "modes.h"
#include "SKP_Silk_SDK_API.h"
+#define MAX_PACKET (1275)
+
/* Make sure everything's aligned to 4 bytes (this may need to be increased
on really weird architectures) */
static inline int align(int i)
@@ -433,7 +435,7 @@
/* Number of frames encoded in bits 0 to 5 */
ch = *data++;
count = ch&0x3F;
- if (st->frame_size*count*25 > 3*st->Fs)
+ if (count <= 0 || st->frame_size*count*25 > 3*st->Fs)
return OPUS_CORRUPTED_DATA;
len--;
/* Padding bit */
@@ -468,11 +470,10 @@
}
if (last_size<0)
return OPUS_CORRUPTED_DATA;
- if (count)
- size[count-1]=last_size;
+ size[count-1]=last_size;
} else {/* CBR case */
- int sz = count != 0 ? len/count : 0;
+ int sz = len/count;
if (sz*count!=len)
return OPUS_CORRUPTED_DATA;
for (i=0;i<count;i++)
@@ -480,6 +481,12 @@
}
break;
}
+ /* Because it's not encoded explicitly, it's possible the size of the
+ last packet (or all the packets, for the CBR case) is larger than
+ 1275.
+ Reject them here.*/
+ if (size[count-1] > MAX_PACKET)
+ return OPUS_CORRUPTED_DATA;
if (count*st->frame_size > frame_size)
return OPUS_BAD_ARG;
nb_samples=0;