[vlc-commits] tospdif: fix buffer bundaries check

Thomas Guillem git at videolan.org
Fri Oct 28 18:03:00 CEST 2016 

vlc | branch: master | Thomas Guillem <thomas at gllm.fr> | Fri Oct 28 10:51:01 2016 +0200| [f8651586b5ab91e2263ea5bf39953bdc2cd407a4] | committer: Thomas Guillem

tospdif: fix buffer bundaries check

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=f8651586b5ab91e2263ea5bf39953bdc2cd407a4
---

 modules/audio_filter/converter/tospdif.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/modules/audio_filter/converter/tospdif.c b/modules/audio_filter/converter/tospdif.c
index 9c07718..3c9f973 100644
--- a/modules/audio_filter/converter/tospdif.c
+++ b/modules/audio_filter/converter/tospdif.c
@@ -200,21 +200,24 @@ static void write_finalize( filter_t *p_filter, uint16_t i_data_type,
 
 static int write_buffer_ac3( filter_t *p_filter, block_t *p_in_buf )
 {
+    static const size_t a52_size = A52_FRAME_NB * 4;
+
     if( unlikely( p_in_buf->i_buffer < 6
-     || p_in_buf->i_buffer > A52_FRAME_NB * 4
+     || p_in_buf->i_buffer > a52_size
      || p_in_buf->i_nb_samples != A52_FRAME_NB ) )
     {
         /* Input is not correctly packetizer. Try to parse the buffer in order
          * to get the mandatory informations to play AC3 over S/PDIF */
         vlc_a52_header_t a52;
         if( vlc_a52_header_Parse( &a52, p_in_buf->p_buffer, p_in_buf->i_buffer )
-            != VLC_SUCCESS || a52.b_eac3 )
+            != VLC_SUCCESS || a52.b_eac3 || a52.i_size > p_in_buf->i_buffer )
             return SPDIF_ERROR;
         p_in_buf->i_buffer = a52.i_size;
         p_in_buf->i_nb_samples = a52.i_samples;
     }
 
-    if( write_init( p_filter, p_in_buf, A52_FRAME_NB * 4, A52_FRAME_NB ) )
+    if( p_in_buf->i_buffer + SPDIF_HEADER_SIZE > a52_size
+     || write_init( p_filter, p_in_buf, a52_size, A52_FRAME_NB ) )
         return SPDIF_ERROR;
     write_buffer( p_filter, p_in_buf );
     write_finalize( p_filter, IEC61937_AC3 |
@@ -230,7 +233,7 @@ static int write_buffer_eac3( filter_t *p_filter, block_t *p_in_buf )
 
     vlc_a52_header_t a52 = { };
     if( vlc_a52_header_Parse( &a52, p_in_buf->p_buffer, p_in_buf->i_buffer )
-        != VLC_SUCCESS )
+        != VLC_SUCCESS || a52.i_size > p_in_buf->i_buffer )
         return SPDIF_ERROR;
 
     p_in_buf->i_buffer = a52.i_size;
@@ -378,7 +381,7 @@ static int write_buffer_dts( filter_t *p_filter, block_t *p_in_buf )
         return SPDIF_ERROR;
     }
 
-    if( p_in_buf->i_buffer > p_in_buf->i_nb_samples * 4
+    if( p_in_buf->i_buffer + SPDIF_HEADER_SIZE > p_in_buf->i_nb_samples * 4
      || write_init( p_filter, p_in_buf, p_in_buf->i_nb_samples * 4,
                     p_in_buf->i_nb_samples ) )
         return SPDIF_ERROR;

More information about the vlc-commits mailing list