Reject more invalid packets in the decoder.
authorTimothy B. Terriberry <tterribe@xiph.org>
Tue, 10 May 2011 17:54:12 +0000 (10:54 -0700)
committerJean-Marc Valin <jean-marc.valin@octasic.com>
Tue, 10 May 2011 18:04:31 +0000 (14:04 -0400)
Code 3 packets with 0 frames are now invalid, and any packet with a
 frame larger than 1275 bytes is invalid (to allow for
 repacketization).

src/opus_decoder.c

index 82453cd..6c07517 100644 (file)
@@ -39,6 +39,8 @@
 #include "modes.h"
 #include "SKP_Silk_SDK_API.h"
 
+#define MAX_PACKET (1275)
+
 /* Make sure everything's aligned to 4 bytes (this may need to be increased
    on really weird architectures) */
 static inline int align(int i)
@@ -433,7 +435,7 @@ int opus_decode(OpusDecoder *st, const unsigned char *data,
                /* Number of frames encoded in bits 0 to 5 */
                ch = *data++;
                count = ch&0x3F;
-               if (st->frame_size*count*25 > 3*st->Fs)
+               if (count <= 0 || st->frame_size*count*25 > 3*st->Fs)
                    return OPUS_CORRUPTED_DATA;
                len--;
                /* Padding bit */
@@ -468,11 +470,10 @@ int opus_decode(OpusDecoder *st, const unsigned char *data,
                        }
                        if (last_size<0)
                                return OPUS_CORRUPTED_DATA;
-                       if (count)
-                               size[count-1]=last_size;
+                       size[count-1]=last_size;
                } else {
                        /* CBR case */
-                       int sz = count != 0 ? len/count : 0;
+                       int sz = len/count;
                        if (sz*count!=len)
                                return OPUS_CORRUPTED_DATA;
                        for (i=0;i<count;i++)
@@ -480,6 +481,12 @@ int opus_decode(OpusDecoder *st, const unsigned char *data,
                }
                break;
        }
+       /* Because it's not encoded explicitly, it's possible the size of the
+           last packet (or all the packets, for the CBR case) is larger than
+           1275.
+          Reject them here.*/
+       if (size[count-1] > MAX_PACKET)
+               return OPUS_CORRUPTED_DATA;
        if (count*st->frame_size > frame_size)
                return OPUS_BAD_ARG;
        nb_samples=0;