|
 |
68c340 |
; You can calculate where the next frame will start depending on things
|
|
|
68c340 |
; like the bitrate. See mad_header_decode(). It seems that when decoding
|
|
|
68c340 |
; the frame you can go past that boundary. This attempts to catch those cases,
|
|
|
68c340 |
; but might not catch all of them.
|
|
|
68c340 |
; For more info see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508133
|
|
|
68c340 |
Index: libmad-0.15.1b/layer12.c
|
|
|
68c340 |
===================================================================
|
|
|
68c340 |
--- a/layer12.c 2008-12-23 21:38:07.000000000 +0100
|
|
|
68c340 |
+++ b/layer12.c 2008-12-23 21:38:12.000000000 +0100
|
|
|
68c340 |
@@ -134,6 +134,12 @@
|
|
|
68c340 |
for (sb = 0; sb < bound; ++sb) {
|
|
|
68c340 |
for (ch = 0; ch < nch; ++ch) {
|
|
|
68c340 |
nb = mad_bit_read(&stream->ptr, 4);
|
|
|
68c340 |
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
|
|
|
68c340 |
+ {
|
|
|
68c340 |
+ stream->error = MAD_ERROR_LOSTSYNC;
|
|
|
68c340 |
+ stream->sync = 0;
|
|
|
68c340 |
+ return -1;
|
|
|
68c340 |
+ }
|
|
|
68c340 |
|
|
|
68c340 |
if (nb == 15) {
|
|
|
68c340 |
stream->error = MAD_ERROR_BADBITALLOC;
|
|
|
68c340 |
@@ -146,6 +152,12 @@
|
|
|
68c340 |
|
|
|
68c340 |
for (sb = bound; sb < 32; ++sb) {
|
|
|
68c340 |
nb = mad_bit_read(&stream->ptr, 4);
|
|
|
68c340 |
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
|
|
|
68c340 |
+ {
|
|
|
68c340 |
+ stream->error = MAD_ERROR_LOSTSYNC;
|
|
|
68c340 |
+ stream->sync = 0;
|
|
|
68c340 |
+ return -1;
|
|
|
68c340 |
+ }
|
|
|
68c340 |
|
|
|
68c340 |
if (nb == 15) {
|
|
|
68c340 |
stream->error = MAD_ERROR_BADBITALLOC;
|
|
|
68c340 |
@@ -162,6 +174,12 @@
|
|
|
68c340 |
for (ch = 0; ch < nch; ++ch) {
|
|
|
68c340 |
if (allocation[ch][sb]) {
|
|
|
68c340 |
scalefactor[ch][sb] = mad_bit_read(&stream->ptr, 6);
|
|
|
68c340 |
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
|
|
|
68c340 |
+ {
|
|
|
68c340 |
+ stream->error = MAD_ERROR_LOSTSYNC;
|
|
|
68c340 |
+ stream->sync = 0;
|
|
|
68c340 |
+ return -1;
|
|
|
68c340 |
+ }
|
|
|
68c340 |
|
|
|
68c340 |
# if defined(OPT_STRICT)
|
|
|
68c340 |
/*
|
|
|
68c340 |
@@ -187,6 +205,12 @@
|
|
|
68c340 |
frame->sbsample[ch][s][sb] = nb ?
|
|
|
68c340 |
mad_f_mul(I_sample(&stream->ptr, nb),
|
|
|
68c340 |
sf_table[scalefactor[ch][sb]]) : 0;
|
|
|
68c340 |
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
|
|
|
68c340 |
+ {
|
|
|
68c340 |
+ stream->error = MAD_ERROR_LOSTSYNC;
|
|
|
68c340 |
+ stream->sync = 0;
|
|
|
68c340 |
+ return -1;
|
|
|
68c340 |
+ }
|
|
|
68c340 |
}
|
|
|
68c340 |
}
|
|
|
68c340 |
|
|
|
68c340 |
@@ -195,6 +219,12 @@
|
|
|
68c340 |
mad_fixed_t sample;
|
|
|
68c340 |
|
|
|
68c340 |
sample = I_sample(&stream->ptr, nb);
|
|
|
68c340 |
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
|
|
|
68c340 |
+ {
|
|
|
68c340 |
+ stream->error = MAD_ERROR_LOSTSYNC;
|
|
|
68c340 |
+ stream->sync = 0;
|
|
|
68c340 |
+ return -1;
|
|
|
68c340 |
+ }
|
|
|
68c340 |
|
|
|
68c340 |
for (ch = 0; ch < nch; ++ch) {
|
|
|
68c340 |
frame->sbsample[ch][s][sb] =
|
|
|
68c340 |
@@ -403,7 +433,15 @@
|
|
|
68c340 |
nbal = bitalloc_table[offsets[sb]].nbal;
|
|
|
68c340 |
|
|
|
68c340 |
for (ch = 0; ch < nch; ++ch)
|
|
|
68c340 |
+ {
|
|
|
68c340 |
allocation[ch][sb] = mad_bit_read(&stream->ptr, nbal);
|
|
|
68c340 |
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
|
|
|
68c340 |
+ {
|
|
|
68c340 |
+ stream->error = MAD_ERROR_LOSTSYNC;
|
|
|
68c340 |
+ stream->sync = 0;
|
|
|
68c340 |
+ return -1;
|
|
|
68c340 |
+ }
|
|
|
68c340 |
+ }
|
|
|
68c340 |
}
|
|
|
68c340 |
|
|
|
68c340 |
for (sb = bound; sb < sblimit; ++sb) {
|
|
|
68c340 |
@@ -411,6 +449,13 @@
|
|
|
68c340 |
|
|
|
68c340 |
allocation[0][sb] =
|
|
|
68c340 |
allocation[1][sb] = mad_bit_read(&stream->ptr, nbal);
|
|
|
68c340 |
+
|
|
|
68c340 |
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
|
|
|
68c340 |
+ {
|
|
|
68c340 |
+ stream->error = MAD_ERROR_LOSTSYNC;
|
|
|
68c340 |
+ stream->sync = 0;
|
|
|
68c340 |
+ return -1;
|
|
|
68c340 |
+ }
|
|
|
68c340 |
}
|
|
|
68c340 |
|
|
|
68c340 |
/* decode scalefactor selection info */
|
|
|
68c340 |
@@ -419,6 +464,12 @@
|
|
|
68c340 |
for (ch = 0; ch < nch; ++ch) {
|
|
|
68c340 |
if (allocation[ch][sb])
|
|
|
68c340 |
scfsi[ch][sb] = mad_bit_read(&stream->ptr, 2);
|
|
|
68c340 |
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
|
|
|
68c340 |
+ {
|
|
|
68c340 |
+ stream->error = MAD_ERROR_LOSTSYNC;
|
|
|
68c340 |
+ stream->sync = 0;
|
|
|
68c340 |
+ return -1;
|
|
|
68c340 |
+ }
|
|
|
68c340 |
}
|
|
|
68c340 |
}
|
|
|
68c340 |
|
|
|
68c340 |
@@ -442,6 +493,12 @@
|
|
|
68c340 |
for (ch = 0; ch < nch; ++ch) {
|
|
|
68c340 |
if (allocation[ch][sb]) {
|
|
|
68c340 |
scalefactor[ch][sb][0] = mad_bit_read(&stream->ptr, 6);
|
|
|
68c340 |
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
|
|
|
68c340 |
+ {
|
|
|
68c340 |
+ stream->error = MAD_ERROR_LOSTSYNC;
|
|
|
68c340 |
+ stream->sync = 0;
|
|
|
68c340 |
+ return -1;
|
|
|
68c340 |
+ }
|
|
|
68c340 |
|
|
|
68c340 |
switch (scfsi[ch][sb]) {
|
|
|
68c340 |
case 2:
|
|
|
68c340 |
@@ -452,11 +509,23 @@
|
|
|
68c340 |
|
|
|
68c340 |
case 0:
|
|
|
68c340 |
scalefactor[ch][sb][1] = mad_bit_read(&stream->ptr, 6);
|
|
|
68c340 |
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
|
|
|
68c340 |
+ {
|
|
|
68c340 |
+ stream->error = MAD_ERROR_LOSTSYNC;
|
|
|
68c340 |
+ stream->sync = 0;
|
|
|
68c340 |
+ return -1;
|
|
|
68c340 |
+ }
|
|
|
68c340 |
/* fall through */
|
|
|
68c340 |
|
|
|
68c340 |
case 1:
|
|
|
68c340 |
case 3:
|
|
|
68c340 |
scalefactor[ch][sb][2] = mad_bit_read(&stream->ptr, 6);
|
|
|
68c340 |
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
|
|
|
68c340 |
+ {
|
|
|
68c340 |
+ stream->error = MAD_ERROR_LOSTSYNC;
|
|
|
68c340 |
+ stream->sync = 0;
|
|
|
68c340 |
+ return -1;
|
|
|
68c340 |
+ }
|
|
|
68c340 |
}
|
|
|
68c340 |
|
|
|
68c340 |
if (scfsi[ch][sb] & 1)
|
|
|
68c340 |
@@ -488,6 +557,12 @@
|
|
|
68c340 |
index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
|
|
|
68c340 |
|
|
|
68c340 |
II_samples(&stream->ptr, &qc_table[index], samples);
|
|
|
68c340 |
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
|
|
|
68c340 |
+ {
|
|
|
68c340 |
+ stream->error = MAD_ERROR_LOSTSYNC;
|
|
|
68c340 |
+ stream->sync = 0;
|
|
|
68c340 |
+ return -1;
|
|
|
68c340 |
+ }
|
|
|
68c340 |
|
|
|
68c340 |
for (s = 0; s < 3; ++s) {
|
|
|
68c340 |
frame->sbsample[ch][3 * gr + s][sb] =
|
|
|
68c340 |
@@ -506,6 +581,12 @@
|
|
|
68c340 |
index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
|
|
|
68c340 |
|
|
|
68c340 |
II_samples(&stream->ptr, &qc_table[index], samples);
|
|
|
68c340 |
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
|
|
|
68c340 |
+ {
|
|
|
68c340 |
+ stream->error = MAD_ERROR_LOSTSYNC;
|
|
|
68c340 |
+ stream->sync = 0;
|
|
|
68c340 |
+ return -1;
|
|
|
68c340 |
+ }
|
|
|
68c340 |
|
|
|
68c340 |
for (ch = 0; ch < nch; ++ch) {
|
|
|
68c340 |
for (s = 0; s < 3; ++s) {
|
|
|
68c340 |
Index: libmad-0.15.1b/layer3.c
|
|
|
68c340 |
===================================================================
|
|
|
68c340 |
--- a/layer3.c 2008-12-23 21:38:07.000000000 +0100
|
|
|
68c340 |
+++ b/layer3.c 2008-12-23 21:38:12.000000000 +0100
|
|
|
68c340 |
@@ -2608,6 +2608,12 @@
|
|
|
68c340 |
next_md_begin = 0;
|
|
|
68c340 |
|
|
|
68c340 |
md_len = si.main_data_begin + frame_space - next_md_begin;
|
|
|
68c340 |
+ if (md_len + MAD_BUFFER_GUARD > MAD_BUFFER_MDLEN)
|
|
|
68c340 |
+ {
|
|
|
68c340 |
+ stream->error = MAD_ERROR_LOSTSYNC;
|
|
|
68c340 |
+ stream->sync = 0;
|
|
|
68c340 |
+ return -1;
|
|
|
68c340 |
+ }
|
|
|
68c340 |
|
|
|
68c340 |
frame_used = 0;
|
|
|
68c340 |
|