pool/opus
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c6d6713ad6
opus/opus-fix-out-of-bounds-read-issue-with-the-padding-handling.patch

25 lines
926 B
Diff
Raw Normal View History

Accepting request 148337 from home:Zaitor:branches:multimedia:libs:opus Fix a minor security issue. This fix is in version 1.0.2, however since we are in freeze, I cherrypicked this fix from upstream git. From commit https://git.xiph.org/?p=opus.git;a=commit;h=9345aaa5ca1c2fb7d62981b2a538e0ce20612c38 Fixes an out-of-bounds read issue with the padding handling code This was reported by Juri Aedla and is limited to reading memory up to about 60 kB beyond the compressed buffer. This can only be triggered by a compressed packet more than about 16 MB long, so it's not a problem for RTP. In theory, it *could* crash an Ogg decoder if the memory just after the incoming packet is out-of-range. OBS-URL: https://build.opensuse.org/request/show/148337 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/opus?expand=0&rev=5
2013-01-13 21:43:28 +01:00
X-Git-Url: https://git.xiph.org/?p=opus.git;a=blobdiff_plain;f=src%2Fopus_decoder.c;h=0be6730d133c417fd87620b774029986dcee6efb;hp=167e4e4891e66dce7a65a6ca761fb58fb190267a;hb=9345aaa5ca1c2fb7d62981b2a538e0ce20612c38;hpb=b05aa1dd763fe238c6e928385664e86bd66118e7
diff --git a/src/opus_decoder.c b/src/opus_decoder.c
index 167e4e4..0be6730 100644
--- a/src/opus_decoder.c
+++ b/src/opus_decoder.c
@@ -641,16 +641,14 @@ static int opus_packet_parse_impl(const unsigned char *data, opus_int32 len,
/* Padding flag is bit 6 */
if (ch&0x40)
{
- int padding=0;
int p;
do {
if (len<=0)
return OPUS_INVALID_PACKET;
p = *data++;
len--;
- padding += p==255 ? 254: p;
+ len -= p==255 ? 254: p;
} while (p==255);
- len -= padding;
}
if (len<0)
return OPUS_INVALID_PACKET;
Reference in New Issue Copy Permalink