[vlc-devel] [RFC] codec/lpcm: drop blocks with invalid size
Filip Roséen
filip at atch.se
Wed Dec 7 13:35:02 CET 2016
These changes prevent a heap-buffer overflow where the block header
indicates that the block is different than what it actually should be
(given the output-format used within decoder_NewAudioBuffer).
In short, blocks that are too large to fit into the audio-buffer will
be discarded. Prior to these changes the entire contents would be
parsed, leading to undefined-behavior further down the road.
---
modules/codec/lpcm.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/modules/codec/lpcm.c b/modules/codec/lpcm.c
index 801f12e..b4dcad4 100644
--- a/modules/codec/lpcm.c
+++ b/modules/codec/lpcm.c
@@ -468,6 +468,20 @@ static block_t *DecodeFrame( decoder_t *p_dec, block_t **pp_block )
p_block->p_buffer += p_sys->i_header_size + i_padding;
p_block->i_buffer -= p_sys->i_header_size + i_padding;
+ const unsigned block_nb_frames = p_block->i_buffer / ( i_bits * 4 / 8 );
+ const unsigned aout_nb_frames = p_aout_buffer->i_nb_samples
+ / ( p_dec->fmt_out.audio.i_bitspersample / 8 );
+
+ if( block_nb_frames > aout_nb_frames )
+ {
+ msg_Warn( p_dec, "invalid block size" );
+
+ block_Release( p_block );
+ block_Release( p_aout_buffer );
+
+ return NULL;
+ }
+
switch( p_sys->i_type )
{
case LPCM_WIDI:
--
2.10.2
More information about the vlc-devel
mailing list