eden-emu/opus
19
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fixes an out-of-bounds read issue with the padding handling code

Browse source 
This was reported by Juri Aedla and is limited to reading memory up
to about 60 kB beyond the compressed buffer. This can only be triggered
by a compressed packet more than about 16 MB long, so it's not a problem
for RTP. In theory, it *could* crash an Ogg decoder if the memory just after
the incoming packet is out-of-range.
This commit is contained in:
Jean-Marc Valin 2012-11-30 17:36:36 -05:00
parent b05aa1dd76
commit 9345aaa5ca
1 changed files with 1 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/opus_decoder.c
View file

@ -641,16 +641,14 @@ static int opus_packet_parse_impl(const unsigned char *data, opus_int32 len,
/* Padding flag is bit 6 */
if (ch&0x40)
{
int padding=0;
int p;
do {
if (len<=0)
return OPUS_INVALID_PACKET;
p = *data++;
len--;
padding += p==255 ? 254: p;
len -= p==255 ? 254: p;
} while (p==255);
len -= padding;
}
if (len<0)
return OPUS_INVALID_PACKET;