[vlc-commits] packetizer: mpeg4audio: reject truncated data

[Francois Cartegnie]

vlc/vlc-3.0 | branch: master | Francois Cartegnie <fcvlcdev at free.fr> | Wed Jun 10 16:29:46 2020 +0200| [da38519fb81dff9141ae2ab37118efc49485fd77] | committer: Francois Cartegnie

packetizer: mpeg4audio: reject truncated data

(cherry picked from commit 4eb7d1c4c63346f020883f5c9d52437e2df45a3a)

> http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=da38519fb81dff9141ae2ab37118efc49485fd77
---

 modules/packetizer/mpeg4audio.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/modules/packetizer/mpeg4audio.c b/modules/packetizer/mpeg4audio.c
index b3a12ab2e9..81d921cc93 100644
--- a/modules/packetizer/mpeg4audio.c
+++ b/modules/packetizer/mpeg4audio.c
@@ -712,11 +712,16 @@ static int LatmReadStreamMuxConfiguration(latm_mux_t *m, bs_t *s)
         if (i_mux_version == 1)
             LatmGetValue(s); /* taraBufferFullness */
 
+    if(bs_remain(s) < 11)
+        return -1;
+
     m->b_same_time_framing = bs_read1(s);
     m->i_sub_frames = 1 + bs_read(s, 6);
     m->i_programs = 1 + bs_read(s, 4);
 
     for (int i_program = 0; i_program < m->i_programs; i_program++) {
+        if(bs_remain(s) < 3)
+            return -1;
         m->pi_layers[i_program] = 1+bs_read(s, 3);
 
         for (int i_layer = 0; i_layer < m->pi_layers[i_program]; i_layer++) {
@@ -775,6 +780,9 @@ static int LatmReadStreamMuxConfiguration(latm_mux_t *m, bs_t *s)
         }
     }
 
+    if(bs_remain(s) < 2)
+        return -1;
+
     /* other data */
     if (bs_read1(s)) {
         if (i_mux_version == 1)
@@ -852,6 +860,9 @@ static int LOASParse(decoder_t *p_dec, uint8_t *p_buffer, int i_buffer)
         else return 0;
     }
 
+    if(bs_remain(&s) == 0 && i_buffer)
+        goto truncated;
+
     /* FIXME do we need to split the subframe into independent packet ? */
     if (p_sys->latm.i_sub_frames > 1)
         msg_Err(p_dec, "latm sub frames not yet supported, please send a sample");
@@ -895,6 +906,9 @@ static int LOASParse(decoder_t *p_dec, uint8_t *p_buffer, int i_buffer)
                     if (pi_payload[i_program][i_layer] <= 0)
                         continue;
 
+                    if(pi_payload[i_program][i_layer] > (bs_remain(&s) >> 3))
+                        goto truncated;
+
                     /* FIXME that's slow (and a bit ugly to write in place) */
                     for (int i = 0; i < pi_payload[i_program][i_layer]; i++) {
                         if (i_accumulated >= i_buffer)
@@ -959,6 +973,10 @@ static int LOASParse(decoder_t *p_dec, uint8_t *p_buffer, int i_buffer)
     bs_align(&s);
 
     return i_accumulated;
+
+truncated:
+    msg_Warn(p_dec,"Truncated LAOS packet. Wrong format ?");
+    return 0;
 }
 
 /*****************************************************************************