[vlc-devel] [RFC] codec/lpcm: drop blocks with invalid size
Francois Cartegnie
fcvlcdev at free.fr
Fri Mar 10 15:15:36 CET 2017
Le 07/12/2016 à 13:35, Filip Roséen a écrit :
> These changes prevent a heap-buffer overflow where the block header
> indicates that the block is different than what it actually should be
> (given the output-format used within decoder_NewAudioBuffer).
>
> In short, blocks that are too large to fit into the audio-buffer will
> be discarded. Prior to these changes the entire contents would be
> parsed, leading to undefined-behavior further down the road.
If there's an issue (and I don't see how it happens since sample number
is computed from block size, aout format updated and then buffer
allocated ) the fix is not a post alloc check.
> @@ -468,6 +468,20 @@ static block_t *DecodeFrame( decoder_t *p_dec, block_t **pp_block )
> p_block->p_buffer += p_sys->i_header_size + i_padding;
> p_block->i_buffer -= p_sys->i_header_size + i_padding;
>
> + const unsigned block_nb_frames = p_block->i_buffer / ( i_bits * 4 / 8 );
> + const unsigned aout_nb_frames = p_aout_buffer->i_nb_samples
> + / ( p_dec->fmt_out.audio.i_bitspersample / 8 );
> +
This is incorrect, and breaks BD LPCM for even channels number.
Francois
More information about the vlc-devel
mailing list