| ; You can calculate where the next frame will start depending on things |
| ; like the bitrate. See mad_header_decode(). It seems that when decoding |
| ; the frame you can go past that boundary. This attempts to catch those cases, |
| ; but might not catch all of them. |
| ; For more info see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508133 |
| |
| |
| |
| |
| @@ -134,6 +134,12 @@ |
| for (sb = 0; sb < bound; ++sb) { |
| for (ch = 0; ch < nch; ++ch) { |
| nb = mad_bit_read(&stream->ptr, 4); |
| + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) |
| + { |
| + stream->error = MAD_ERROR_LOSTSYNC; |
| + stream->sync = 0; |
| + return -1; |
| + } |
| |
| if (nb == 15) { |
| stream->error = MAD_ERROR_BADBITALLOC; |
| @@ -146,6 +152,12 @@ |
| |
| for (sb = bound; sb < 32; ++sb) { |
| nb = mad_bit_read(&stream->ptr, 4); |
| + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) |
| + { |
| + stream->error = MAD_ERROR_LOSTSYNC; |
| + stream->sync = 0; |
| + return -1; |
| + } |
| |
| if (nb == 15) { |
| stream->error = MAD_ERROR_BADBITALLOC; |
| @@ -162,6 +174,12 @@ |
| for (ch = 0; ch < nch; ++ch) { |
| if (allocation[ch][sb]) { |
| scalefactor[ch][sb] = mad_bit_read(&stream->ptr, 6); |
| + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) |
| + { |
| + stream->error = MAD_ERROR_LOSTSYNC; |
| + stream->sync = 0; |
| + return -1; |
| + } |
| |
| # if defined(OPT_STRICT) |
| /* |
| @@ -187,6 +205,12 @@ |
| frame->sbsample[ch][s][sb] = nb ? |
| mad_f_mul(I_sample(&stream->ptr, nb), |
| sf_table[scalefactor[ch][sb]]) : 0; |
| + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) |
| + { |
| + stream->error = MAD_ERROR_LOSTSYNC; |
| + stream->sync = 0; |
| + return -1; |
| + } |
| } |
| } |
| |
| @@ -195,6 +219,12 @@ |
| mad_fixed_t sample; |
| |
| sample = I_sample(&stream->ptr, nb); |
| + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) |
| + { |
| + stream->error = MAD_ERROR_LOSTSYNC; |
| + stream->sync = 0; |
| + return -1; |
| + } |
| |
| for (ch = 0; ch < nch; ++ch) { |
| frame->sbsample[ch][s][sb] = |
| @@ -403,7 +433,15 @@ |
| nbal = bitalloc_table[offsets[sb]].nbal; |
| |
| for (ch = 0; ch < nch; ++ch) |
| + { |
| allocation[ch][sb] = mad_bit_read(&stream->ptr, nbal); |
| + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) |
| + { |
| + stream->error = MAD_ERROR_LOSTSYNC; |
| + stream->sync = 0; |
| + return -1; |
| + } |
| + } |
| } |
| |
| for (sb = bound; sb < sblimit; ++sb) { |
| @@ -411,6 +449,13 @@ |
| |
| allocation[0][sb] = |
| allocation[1][sb] = mad_bit_read(&stream->ptr, nbal); |
| + |
| + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) |
| + { |
| + stream->error = MAD_ERROR_LOSTSYNC; |
| + stream->sync = 0; |
| + return -1; |
| + } |
| } |
| |
| /* decode scalefactor selection info */ |
| @@ -419,6 +464,12 @@ |
| for (ch = 0; ch < nch; ++ch) { |
| if (allocation[ch][sb]) |
| scfsi[ch][sb] = mad_bit_read(&stream->ptr, 2); |
| + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) |
| + { |
| + stream->error = MAD_ERROR_LOSTSYNC; |
| + stream->sync = 0; |
| + return -1; |
| + } |
| } |
| } |
| |
| @@ -442,6 +493,12 @@ |
| for (ch = 0; ch < nch; ++ch) { |
| if (allocation[ch][sb]) { |
| scalefactor[ch][sb][0] = mad_bit_read(&stream->ptr, 6); |
| + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) |
| + { |
| + stream->error = MAD_ERROR_LOSTSYNC; |
| + stream->sync = 0; |
| + return -1; |
| + } |
| |
| switch (scfsi[ch][sb]) { |
| case 2: |
| @@ -452,11 +509,23 @@ |
| |
| case 0: |
| scalefactor[ch][sb][1] = mad_bit_read(&stream->ptr, 6); |
| + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) |
| + { |
| + stream->error = MAD_ERROR_LOSTSYNC; |
| + stream->sync = 0; |
| + return -1; |
| + } |
| /* fall through */ |
| |
| case 1: |
| case 3: |
| scalefactor[ch][sb][2] = mad_bit_read(&stream->ptr, 6); |
| + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) |
| + { |
| + stream->error = MAD_ERROR_LOSTSYNC; |
| + stream->sync = 0; |
| + return -1; |
| + } |
| } |
| |
| if (scfsi[ch][sb] & 1) |
| @@ -488,6 +557,12 @@ |
| index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1]; |
| |
| II_samples(&stream->ptr, &qc_table[index], samples); |
| + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) |
| + { |
| + stream->error = MAD_ERROR_LOSTSYNC; |
| + stream->sync = 0; |
| + return -1; |
| + } |
| |
| for (s = 0; s < 3; ++s) { |
| frame->sbsample[ch][3 * gr + s][sb] = |
| @@ -506,6 +581,12 @@ |
| index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1]; |
| |
| II_samples(&stream->ptr, &qc_table[index], samples); |
| + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame) |
| + { |
| + stream->error = MAD_ERROR_LOSTSYNC; |
| + stream->sync = 0; |
| + return -1; |
| + } |
| |
| for (ch = 0; ch < nch; ++ch) { |
| for (s = 0; s < 3; ++s) { |
| |
| |
| |
| |
| @@ -2608,6 +2608,12 @@ |
| next_md_begin = 0; |
| |
| md_len = si.main_data_begin + frame_space - next_md_begin; |
| + if (md_len + MAD_BUFFER_GUARD > MAD_BUFFER_MDLEN) |
| + { |
| + stream->error = MAD_ERROR_LOSTSYNC; |
| + stream->sync = 0; |
| + return -1; |
| + } |
| |
| frame_used = 0; |
| |