vlc/vlc-3.0 | branch: master | Francois Cartegnie <[email protected]> | Wed Jun 10 16:29:46 2020 +0200| [da38519fb81dff9141ae2ab37118efc49485fd77] | committer: Francois Cartegnie
packetizer: mpeg4audio: reject truncated data (cherry picked from commit 4eb7d1c4c63346f020883f5c9d52437e2df45a3a) > http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=da38519fb81dff9141ae2ab37118efc49485fd77 --- modules/packetizer/mpeg4audio.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/modules/packetizer/mpeg4audio.c b/modules/packetizer/mpeg4audio.c index b3a12ab2e9..81d921cc93 100644 --- a/modules/packetizer/mpeg4audio.c +++ b/modules/packetizer/mpeg4audio.c @@ -712,11 +712,16 @@ static int LatmReadStreamMuxConfiguration(latm_mux_t *m, bs_t *s) if (i_mux_version == 1) LatmGetValue(s); /* taraBufferFullness */ + if(bs_remain(s) < 11) + return -1; + m->b_same_time_framing = bs_read1(s); m->i_sub_frames = 1 + bs_read(s, 6); m->i_programs = 1 + bs_read(s, 4); for (int i_program = 0; i_program < m->i_programs; i_program++) { + if(bs_remain(s) < 3) + return -1; m->pi_layers[i_program] = 1+bs_read(s, 3); for (int i_layer = 0; i_layer < m->pi_layers[i_program]; i_layer++) { @@ -775,6 +780,9 @@ static int LatmReadStreamMuxConfiguration(latm_mux_t *m, bs_t *s) } } + if(bs_remain(s) < 2) + return -1; + /* other data */ if (bs_read1(s)) { if (i_mux_version == 1) @@ -852,6 +860,9 @@ static int LOASParse(decoder_t *p_dec, uint8_t *p_buffer, int i_buffer) else return 0; } + if(bs_remain(&s) == 0 && i_buffer) + goto truncated; + /* FIXME do we need to split the subframe into independent packet ? */ if (p_sys->latm.i_sub_frames > 1) msg_Err(p_dec, "latm sub frames not yet supported, please send a sample"); @@ -895,6 +906,9 @@ static int LOASParse(decoder_t *p_dec, uint8_t *p_buffer, int i_buffer) if (pi_payload[i_program][i_layer] <= 0) continue; + if(pi_payload[i_program][i_layer] > (bs_remain(&s) >> 3)) + goto truncated; + /* FIXME that's slow (and a bit ugly to write in place) */ for (int i = 0; i < pi_payload[i_program][i_layer]; i++) { if (i_accumulated >= i_buffer) @@ -959,6 +973,10 @@ static int LOASParse(decoder_t *p_dec, uint8_t *p_buffer, int i_buffer) bs_align(&s); return i_accumulated; + +truncated: + msg_Warn(p_dec,"Truncated LAOS packet. Wrong format ?"); + return 0; } /***************************************************************************** _______________________________________________ vlc-commits mailing list [email protected] https://mailman.videolan.org/listinfo/vlc-commits
