Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(80)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/opus_decoder.c

Issue 11575026: Fix possible integer overflow in Opus with ~16MB fed to the decoder. (Closed) Base URL: http://src.chromium.org/svn/trunk/
Patch Set: Fix possible integer overflow in Opus with ~16MB fed to the decoder. Created 8 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* Copyright (c) 2010 Xiph.Org Foundation, Skype Limited 1 /* Copyright (c) 2010 Xiph.Org Foundation, Skype Limited
2 Written by Jean-Marc Valin and Koen Vos */ 2 Written by Jean-Marc Valin and Koen Vos */
3 /* 3 /*
4 Redistribution and use in source and binary forms, with or without 4 Redistribution and use in source and binary forms, with or without
5 modification, are permitted provided that the following conditions 5 modification, are permitted provided that the following conditions
6 are met: 6 are met:
7 7
8 - Redistributions of source code must retain the above copyright 8 - Redistributions of source code must retain the above copyright
9 notice, this list of conditions and the following disclaimer. 9 notice, this list of conditions and the following disclaimer.
10 10
(...skipping 594 matching lines...) Expand 10 before | Expand all | Expand 10 after
605 return OPUS_INVALID_PACKET; 605 return OPUS_INVALID_PACKET;
606 /* Number of frames encoded in bits 0 to 5 */ 606 /* Number of frames encoded in bits 0 to 5 */
607 ch = *data++; 607 ch = *data++;
608 count = ch&0x3F; 608 count = ch&0x3F;
609 if (count <= 0 || framesize*count > 5760) 609 if (count <= 0 || framesize*count > 5760)
610 return OPUS_INVALID_PACKET; 610 return OPUS_INVALID_PACKET;
611 len--; 611 len--;
612 /* Padding flag is bit 6 */ 612 /* Padding flag is bit 6 */
613 if (ch&0x40) 613 if (ch&0x40)
614 { 614 {
615 int padding=0;
616 int p; 615 int p;
617 do { 616 do {
618 if (len<=0) 617 if (len<=0)
619 return OPUS_INVALID_PACKET; 618 return OPUS_INVALID_PACKET;
620 p = *data++; 619 p = *data++;
621 len--; 620 len--;
622 padding += p==255 ? 254: p; 621 len -= p==255 ? 254: p;
623 } while (p==255); 622 } while (p==255);
624 len -= padding;
625 } 623 }
626 if (len<0) 624 if (len<0)
627 return OPUS_INVALID_PACKET; 625 return OPUS_INVALID_PACKET;
628 /* VBR flag is bit 7 */ 626 /* VBR flag is bit 7 */
629 cbr = !(ch&0x80); 627 cbr = !(ch&0x80);
630 if (!cbr) 628 if (!cbr)
631 { 629 {
632 /* VBR case */ 630 /* VBR case */
633 last_size = len; 631 last_size = len;
634 for (i=0;i<count-1;i++) 632 for (i=0;i<count-1;i++)
(...skipping 355 matching lines...) Expand 10 before | Expand all | Expand 10 after
990 if (count<0) 988 if (count<0)
991 return count; 989 return count;
992 990
993 samples = count*opus_packet_get_samples_per_frame(packet, dec->Fs); 991 samples = count*opus_packet_get_samples_per_frame(packet, dec->Fs);
994 /* Can't have more than 120 ms */ 992 /* Can't have more than 120 ms */
995 if (samples*25 > dec->Fs*3) 993 if (samples*25 > dec->Fs*3)
996 return OPUS_INVALID_PACKET; 994 return OPUS_INVALID_PACKET;
997 else 995 else
998 return samples; 996 return samples;
999 } 997 }
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698