diff options
| author | Erik de Castro Lopo <erikd@mega-nerd.com> | 2015-02-08 15:56:38 +1100 |
|---|---|---|
| committer | Erik de Castro Lopo <erikd@mega-nerd.com> | 2015-02-08 16:53:18 +1100 |
| commit | fdd7a0af8cd4bb8df908c6244fc67723d2de74fd (patch) | |
| tree | e800d1571ba5f97d1723a6607a4bb5561a9f72e7 | |
| parent | d2a87385c1ca1d72918e9a2875d24f202a5093e8 (diff) | |
ALAC : Collection of validation and bounds checking fixes.
* Validate channel count returned when decoder is initialized.
* Validate frames_per_packet.
* Bounds check numSamples read from bitstream.
* Increase ALAC_BYTE_BUFFER_SIZE.
* Integer sanitizer fixes.
| -rw-r--r-- | src/ALAC/alac_decoder.c | 10 | ||||
| -rw-r--r-- | src/alac.c | 14 |
2 files changed, 19 insertions, 5 deletions
diff --git a/src/ALAC/alac_decoder.c b/src/ALAC/alac_decoder.c index ea36e3f..cfd981c 100644 --- a/src/ALAC/alac_decoder.c +++ b/src/ALAC/alac_decoder.c @@ -1,6 +1,6 @@ /* * Copyright (c) 2011 Apple Inc. All rights reserved. - * Copyright (C) 2012-2014 Erik de Castro Lopo <erikd@mega-nerd.com> + * Copyright (C) 2012-2015 Erik de Castro Lopo <erikd@mega-nerd.com> * * @APPLE_APACHE_LICENSE_HEADER_START@ * @@ -216,6 +216,8 @@ alac_decode (ALAC_DECODER *p, struct BitBuffer * bits, int32_t * sampleBuffer, u { numSamples = BitBufferRead (bits, 16) << 16 ; numSamples |= BitBufferRead (bits, 16) ; + + RequireAction (numSamples < kALACDefaultFramesPerPacket, return kALAC_ParamError ;) ; } if (escapeFlag == 0) @@ -367,6 +369,8 @@ alac_decode (ALAC_DECODER *p, struct BitBuffer * bits, int32_t * sampleBuffer, u { numSamples = BitBufferRead (bits, 16) << 16 ; numSamples |= BitBufferRead (bits, 16) ; + + RequireAction (numSamples < kALACDefaultFramesPerPacket, return kALAC_ParamError ;) ; } if (escapeFlag == 0) @@ -461,11 +465,11 @@ alac_decode (ALAC_DECODER *p, struct BitBuffer * bits, int32_t * sampleBuffer, u for (i = 0 ; i < numSamples ; i++) { val = (int32_t) BitBufferRead (bits, 16) ; - val = (val << 16) >> shift ; + val = (((uint32_t) val) << 16) >> shift ; p->mMixBufferU [i] = val | BitBufferRead (bits, (uint8_t) extraBits) ; val = (int32_t) BitBufferRead (bits, 16) ; - val = (val << 16) >> shift ; + val = ((uint32_t) val) >> shift ; p->mMixBufferV [i] = val | BitBufferRead (bits, (uint8_t) extraBits) ; } } @@ -1,5 +1,5 @@ /* -** Copyright (C) 2011-2014 Erik de Castro Lopo <erikd@mega-nerd.com> +** Copyright (C) 2011-2015 Erik de Castro Lopo <erikd@mega-nerd.com> ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU Lesser General Public License as published by @@ -31,7 +31,7 @@ #include "ALAC/ALACBitUtilities.h" #define ALAC_MAX_FRAME_SIZE 8192 -#define ALAC_BYTE_BUFFER_SIZE 82000 +#define ALAC_BYTE_BUFFER_SIZE 0x20000 typedef struct @@ -240,6 +240,11 @@ alac_reader_init (SF_PRIVATE *psf, const ALAC_DECODER_INFO * info) return SFE_INTERNAL ; } ; + if (info->frames_per_packet > ALAC_MAX_FRAME_SIZE) + { psf_log_printf (psf, "*** Error : frames_per_packet (%u) is too big. ***\n", info->frames_per_packet) ; + return SFE_INTERNAL ; + } ; + plac = psf->codec_data ; plac->channels = psf->sf.channels ; @@ -261,6 +266,11 @@ alac_reader_init (SF_PRIVATE *psf, const ALAC_DECODER_INFO * info) alac_decoder_init (&plac->decoder, u.kuki, kuki_size) ; + if (plac->decoder.mNumChannels != (unsigned) psf->sf.channels) + { psf_log_printf (psf, "*** Initialized decoder has %u channels, but it should be %d. ***\n", plac->decoder.mNumChannels, psf->sf.channels) ; + return SFE_INTERNAL ; + } ; + switch (info->bits_per_sample) { case 16 : case 20 : |