[vlc-commits] lpcm: validate block_nb_frames in DVD/LPCM cases
Filip Roséen
git at videolan.org
Wed Dec 7 15:16:39 CET 2016
vlc | branch: master | Filip Roséen <filip at atch.se> | Wed Dec 7 15:08:03 2016 +0100| [bec6e29c9925c7d22bfe6401edc0c520f00b62ac] | committer: Jean-Baptiste Kempf
lpcm: validate block_nb_frames in DVD/LPCM cases
Fix heap overflow due to invalid header data
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=bec6e29c9925c7d22bfe6401edc0c520f00b62ac
---
modules/codec/lpcm.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/modules/codec/lpcm.c b/modules/codec/lpcm.c
index 492426c..628eed3 100644
--- a/modules/codec/lpcm.c
+++ b/modules/codec/lpcm.c
@@ -371,8 +371,9 @@ static block_t *DecodeFrame( decoder_t *p_dec, block_t **pp_block )
int i_ret;
unsigned i_channels_padding = 0;
- unsigned i_padding = 0;
+ unsigned i_padding = 0; /* only for AOB */
aob_group_t p_aob_group[2];
+
switch( p_sys->i_type )
{
case LPCM_VOB:
@@ -424,7 +425,7 @@ static block_t *DecodeFrame( decoder_t *p_dec, block_t **pp_block )
}
else
{
- i_frame_length = (p_block->i_buffer - p_sys->i_header_size - i_padding) /
+ i_frame_length = (p_block->i_buffer - p_sys->i_header_size) /
(i_channels + i_channels_padding) * 8 / i_bits;
}
@@ -468,6 +469,20 @@ static block_t *DecodeFrame( decoder_t *p_dec, block_t **pp_block )
p_block->p_buffer += p_sys->i_header_size + i_padding;
p_block->i_buffer -= p_sys->i_header_size + i_padding;
+ const unsigned block_nb_frames = p_block->i_buffer / ( i_bits * 4 / 8 );
+ const unsigned aout_nb_frames = p_aout_buffer->i_nb_samples
+ / ( p_dec->fmt_out.audio.i_bitspersample / 8 );
+
+ if( block_nb_frames > aout_nb_frames )
+ {
+ msg_Warn( p_dec, "invalid block size" );
+
+ block_Release( p_block );
+ block_Release( p_aout_buffer );
+
+ return NULL;
+ }
+
switch( p_sys->i_type )
{
case LPCM_WIDI:
More information about the vlc-commits
mailing list