libmad: fix CVE-2017-8372 and CVE-2017-8374.

This commit is contained in:
travankor 2019-11-14 18:36:19 -07:00 committed by Helmut Pozimski
parent 10d4b87a02
commit c4fe588d09
4 changed files with 866 additions and 194 deletions

View File

@ -0,0 +1,56 @@
From: Kurt Roeckx <kurt@roeckx.be>
Date: Sun, 28 Jan 2018 15:44:08 +0100
Subject: Check the size of the main data
The main data to decode a frame can come from the current frame and part of the
previous frame, the so called bit reservoir. si.main_data_begin is the part of
the previous frame we need for this frame. frame_space is the amount of main
data that can be in this frame, and next_md_begin is the part of this frame that
is going to be used for the next frame.
The maximum amount of data from a previous frame that the format allows is 511
bytes. The maximum frame size for the defined bitrates is at MPEG 2.5 layer 2
at 320 kbit/s and 8 kHz sample rate which gives 72 * (320000 / 8000) + 1 = 2881.
So those defines are not large enough:
# define MAD_BUFFER_GUARD 8
# define MAD_BUFFER_MDLEN (511 + 2048 + MAD_BUFFER_GUARD)
There is also support for a "free" bitrate which allows you to create any frame
size, which can be larger than the buffer.
Changing the defines is not an option since it's part of the ABI, so we check
that the main data fits in the bufer.
The previous frame data is stored in *stream->main_data and contains
stream->md_len bytes. If stream->md_len is larger than the data we
need from the previous frame (si.main_data_begin) it still wouldn't fit
in the buffer, so just keep the data that we need.
--- layer3.c
+++ layer3.c
@@ -2608,6 +2608,11 @@ int mad_layer_III(struct mad_stream *str
next_md_begin = 0;
md_len = si.main_data_begin + frame_space - next_md_begin;
+ if (md_len + MAD_BUFFER_GUARD > MAD_BUFFER_MDLEN) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
frame_used = 0;
@@ -2625,8 +2630,11 @@ int mad_layer_III(struct mad_stream *str
}
}
else {
- mad_bit_init(&ptr,
- *stream->main_data + stream->md_len - si.main_data_begin);
+ memmove(stream->main_data,
+ *stream->main_data + stream->md_len - si.main_data_begin,
+ si.main_data_begin);
+ stream->md_len = si.main_data_begin;
+ mad_bit_init(&ptr, *stream->main_data);
if (md_len > si.main_data_begin) {
assert(stream->md_len + md_len -

View File

@ -0,0 +1,809 @@
From: Kurt Roeckx <kurt@roeckx.be>
Date: Sun, 28 Jan 2018 19:26:36 +0100
Subject: Check the size before reading with mad_bit_read
There are various cases where it attemps to read past the end of the buffer
using mad_bit_read(). Most functions didn't even know the size of the buffer
they were reading from.
--- bit.c
+++ bit.c
@@ -138,6 +138,9 @@ unsigned long mad_bit_read(struct mad_bi
{
register unsigned long value;
+ if (len == 0)
+ return 0;
+
if (bitptr->left == CHAR_BIT)
bitptr->cache = *bitptr->byte;
--- frame.c
+++ frame.c
@@ -120,11 +120,18 @@ static
int decode_header(struct mad_header *header, struct mad_stream *stream)
{
unsigned int index;
+ struct mad_bitptr bufend_ptr;
header->flags = 0;
header->private_bits = 0;
+ mad_bit_init(&bufend_ptr, stream->bufend);
+
/* header() */
+ if (mad_bit_length(&stream->ptr, &bufend_ptr) < 32) {
+ stream->error = MAD_ERROR_BUFLEN;
+ return -1;
+ }
/* syncword */
mad_bit_skip(&stream->ptr, 11);
@@ -225,8 +232,13 @@ int decode_header(struct mad_header *hea
/* error_check() */
/* crc_check */
- if (header->flags & MAD_FLAG_PROTECTION)
+ if (header->flags & MAD_FLAG_PROTECTION) {
+ if (mad_bit_length(&stream->ptr, &bufend_ptr) < 16) {
+ stream->error = MAD_ERROR_BUFLEN;
+ return -1;
+ }
header->crc_target = mad_bit_read(&stream->ptr, 16);
+ }
return 0;
}
@@ -338,7 +350,7 @@ int mad_header_decode(struct mad_header
stream->error = MAD_ERROR_BUFLEN;
goto fail;
}
- else if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
+ else if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
/* mark point where frame sync word was expected */
stream->this_frame = ptr;
stream->next_frame = ptr + 1;
@@ -361,6 +373,8 @@ int mad_header_decode(struct mad_header
ptr = mad_bit_nextbyte(&stream->ptr);
}
+ stream->error = MAD_ERROR_NONE;
+
/* begin processing */
stream->this_frame = ptr;
stream->next_frame = ptr + 1; /* possibly bogus sync word */
@@ -413,7 +427,7 @@ int mad_header_decode(struct mad_header
/* check that a valid frame header follows this frame */
ptr = stream->next_frame;
- if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
+ if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
ptr = stream->next_frame = stream->this_frame + 1;
goto sync;
}
--- layer12.c
+++ layer12.c
@@ -72,10 +72,18 @@ mad_fixed_t const linear_table[14] = {
* DESCRIPTION: decode one requantized Layer I sample from a bitstream
*/
static
-mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb)
+mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb, struct mad_stream *stream)
{
mad_fixed_t sample;
+ struct mad_bitptr frameend_ptr;
+ mad_bit_init(&frameend_ptr, stream->next_frame);
+
+ if (mad_bit_length(ptr, &frameend_ptr) < nb) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return 0;
+ }
sample = mad_bit_read(ptr, nb);
/* invert most significant bit, extend sign, then scale to fixed format */
@@ -106,6 +114,10 @@ int mad_layer_I(struct mad_stream *strea
struct mad_header *header = &frame->header;
unsigned int nch, bound, ch, s, sb, nb;
unsigned char allocation[2][32], scalefactor[2][32];
+ struct mad_bitptr bufend_ptr, frameend_ptr;
+
+ mad_bit_init(&bufend_ptr, stream->bufend);
+ mad_bit_init(&frameend_ptr, stream->next_frame);
nch = MAD_NCHANNELS(header);
@@ -118,6 +130,11 @@ int mad_layer_I(struct mad_stream *strea
/* check CRC word */
if (header->flags & MAD_FLAG_PROTECTION) {
+ if (mad_bit_length(&stream->ptr, &bufend_ptr)
+ < 4 * (bound * nch + (32 - bound))) {
+ stream->error = MAD_ERROR_BADCRC;
+ return -1;
+ }
header->crc_check =
mad_bit_crc(stream->ptr, 4 * (bound * nch + (32 - bound)),
header->crc_check);
@@ -133,6 +150,11 @@ int mad_layer_I(struct mad_stream *strea
for (sb = 0; sb < bound; ++sb) {
for (ch = 0; ch < nch; ++ch) {
+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
nb = mad_bit_read(&stream->ptr, 4);
if (nb == 15) {
@@ -145,6 +167,11 @@ int mad_layer_I(struct mad_stream *strea
}
for (sb = bound; sb < 32; ++sb) {
+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
nb = mad_bit_read(&stream->ptr, 4);
if (nb == 15) {
@@ -161,6 +188,11 @@ int mad_layer_I(struct mad_stream *strea
for (sb = 0; sb < 32; ++sb) {
for (ch = 0; ch < nch; ++ch) {
if (allocation[ch][sb]) {
+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
scalefactor[ch][sb] = mad_bit_read(&stream->ptr, 6);
# if defined(OPT_STRICT)
@@ -185,8 +217,10 @@ int mad_layer_I(struct mad_stream *strea
for (ch = 0; ch < nch; ++ch) {
nb = allocation[ch][sb];
frame->sbsample[ch][s][sb] = nb ?
- mad_f_mul(I_sample(&stream->ptr, nb),
+ mad_f_mul(I_sample(&stream->ptr, nb, stream),
sf_table[scalefactor[ch][sb]]) : 0;
+ if (stream->error != 0)
+ return -1;
}
}
@@ -194,7 +228,14 @@ int mad_layer_I(struct mad_stream *strea
if ((nb = allocation[0][sb])) {
mad_fixed_t sample;
- sample = I_sample(&stream->ptr, nb);
+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < nb) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
+ sample = I_sample(&stream->ptr, nb, stream);
+ if (stream->error != 0)
+ return -1;
for (ch = 0; ch < nch; ++ch) {
frame->sbsample[ch][s][sb] =
@@ -280,13 +321,21 @@ struct quantclass {
static
void II_samples(struct mad_bitptr *ptr,
struct quantclass const *quantclass,
- mad_fixed_t output[3])
+ mad_fixed_t output[3], struct mad_stream *stream)
{
unsigned int nb, s, sample[3];
+ struct mad_bitptr frameend_ptr;
+
+ mad_bit_init(&frameend_ptr, stream->next_frame);
if ((nb = quantclass->group)) {
unsigned int c, nlevels;
+ if (mad_bit_length(ptr, &frameend_ptr) < quantclass->bits) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return;
+ }
/* degrouping */
c = mad_bit_read(ptr, quantclass->bits);
nlevels = quantclass->nlevels;
@@ -299,8 +348,14 @@ void II_samples(struct mad_bitptr *ptr,
else {
nb = quantclass->bits;
- for (s = 0; s < 3; ++s)
+ for (s = 0; s < 3; ++s) {
+ if (mad_bit_length(ptr, &frameend_ptr) < nb) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return;
+ }
sample[s] = mad_bit_read(ptr, nb);
+ }
}
for (s = 0; s < 3; ++s) {
@@ -336,6 +391,9 @@ int mad_layer_II(struct mad_stream *stre
unsigned char const *offsets;
unsigned char allocation[2][32], scfsi[2][32], scalefactor[2][32][3];
mad_fixed_t samples[3];
+ struct mad_bitptr frameend_ptr;
+
+ mad_bit_init(&frameend_ptr, stream->next_frame);
nch = MAD_NCHANNELS(header);
@@ -402,13 +460,24 @@ int mad_layer_II(struct mad_stream *stre
for (sb = 0; sb < bound; ++sb) {
nbal = bitalloc_table[offsets[sb]].nbal;
- for (ch = 0; ch < nch; ++ch)
+ for (ch = 0; ch < nch; ++ch) {
+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < nbal) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
allocation[ch][sb] = mad_bit_read(&stream->ptr, nbal);
+ }
}
for (sb = bound; sb < sblimit; ++sb) {
nbal = bitalloc_table[offsets[sb]].nbal;
+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < nbal) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
allocation[0][sb] =
allocation[1][sb] = mad_bit_read(&stream->ptr, nbal);
}
@@ -417,8 +486,14 @@ int mad_layer_II(struct mad_stream *stre
for (sb = 0; sb < sblimit; ++sb) {
for (ch = 0; ch < nch; ++ch) {
- if (allocation[ch][sb])
+ if (allocation[ch][sb]) {
+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 2) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
scfsi[ch][sb] = mad_bit_read(&stream->ptr, 2);
+ }
}
}
@@ -441,6 +516,11 @@ int mad_layer_II(struct mad_stream *stre
for (sb = 0; sb < sblimit; ++sb) {
for (ch = 0; ch < nch; ++ch) {
if (allocation[ch][sb]) {
+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
scalefactor[ch][sb][0] = mad_bit_read(&stream->ptr, 6);
switch (scfsi[ch][sb]) {
@@ -451,11 +531,21 @@ int mad_layer_II(struct mad_stream *stre
break;
case 0:
+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
scalefactor[ch][sb][1] = mad_bit_read(&stream->ptr, 6);
/* fall through */
case 1:
case 3:
+ if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
scalefactor[ch][sb][2] = mad_bit_read(&stream->ptr, 6);
}
@@ -487,7 +577,9 @@ int mad_layer_II(struct mad_stream *stre
if ((index = allocation[ch][sb])) {
index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
- II_samples(&stream->ptr, &qc_table[index], samples);
+ II_samples(&stream->ptr, &qc_table[index], samples, stream);
+ if (stream->error != 0)
+ return -1;
for (s = 0; s < 3; ++s) {
frame->sbsample[ch][3 * gr + s][sb] =
@@ -505,7 +597,9 @@ int mad_layer_II(struct mad_stream *stre
if ((index = allocation[0][sb])) {
index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
- II_samples(&stream->ptr, &qc_table[index], samples);
+ II_samples(&stream->ptr, &qc_table[index], samples, stream);
+ if (stream->error != 0)
+ return -1;
for (ch = 0; ch < nch; ++ch) {
for (s = 0; s < 3; ++s) {
--- layer3.c
+++ layer3.c
@@ -598,7 +598,8 @@ enum mad_error III_sideinfo(struct mad_b
static
unsigned int III_scalefactors_lsf(struct mad_bitptr *ptr,
struct channel *channel,
- struct channel *gr1ch, int mode_extension)
+ struct channel *gr1ch, int mode_extension,
+ unsigned int bits_left, unsigned int *part2_length)
{
struct mad_bitptr start;
unsigned int scalefac_compress, index, slen[4], part, n, i;
@@ -644,8 +645,12 @@ unsigned int III_scalefactors_lsf(struct
n = 0;
for (part = 0; part < 4; ++part) {
- for (i = 0; i < nsfb[part]; ++i)
+ for (i = 0; i < nsfb[part]; ++i) {
+ if (bits_left < slen[part])
+ return MAD_ERROR_BADSCFSI;
channel->scalefac[n++] = mad_bit_read(ptr, slen[part]);
+ bits_left -= slen[part];
+ }
}
while (n < 39)
@@ -690,7 +695,10 @@ unsigned int III_scalefactors_lsf(struct
max = (1 << slen[part]) - 1;
for (i = 0; i < nsfb[part]; ++i) {
+ if (bits_left < slen[part])
+ return MAD_ERROR_BADSCFSI;
is_pos = mad_bit_read(ptr, slen[part]);
+ bits_left -= slen[part];
channel->scalefac[n] = is_pos;
gr1ch->scalefac[n++] = (is_pos == max);
@@ -703,7 +711,8 @@ unsigned int III_scalefactors_lsf(struct
}
}
- return mad_bit_length(&start, ptr);
+ *part2_length = mad_bit_length(&start, ptr);
+ return MAD_ERROR_NONE;
}
/*
@@ -712,7 +721,8 @@ unsigned int III_scalefactors_lsf(struct
*/
static
unsigned int III_scalefactors(struct mad_bitptr *ptr, struct channel *channel,
- struct channel const *gr0ch, unsigned int scfsi)
+ struct channel const *gr0ch, unsigned int scfsi,
+ unsigned int bits_left, unsigned int *part2_length)
{
struct mad_bitptr start;
unsigned int slen1, slen2, sfbi;
@@ -728,12 +738,20 @@ unsigned int III_scalefactors(struct mad
sfbi = 0;
nsfb = (channel->flags & mixed_block_flag) ? 8 + 3 * 3 : 6 * 3;
- while (nsfb--)
+ while (nsfb--) {
+ if (bits_left < slen1)
+ return MAD_ERROR_BADSCFSI;
channel->scalefac[sfbi++] = mad_bit_read(ptr, slen1);
+ bits_left -= slen1;
+ }
nsfb = 6 * 3;
- while (nsfb--)
+ while (nsfb--) {
+ if (bits_left < slen2)
+ return MAD_ERROR_BADSCFSI;
channel->scalefac[sfbi++] = mad_bit_read(ptr, slen2);
+ bits_left -= slen2;
+ }
nsfb = 1 * 3;
while (nsfb--)
@@ -745,8 +763,12 @@ unsigned int III_scalefactors(struct mad
channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
}
else {
- for (sfbi = 0; sfbi < 6; ++sfbi)
+ for (sfbi = 0; sfbi < 6; ++sfbi) {
+ if (bits_left < slen1)
+ return MAD_ERROR_BADSCFSI;
channel->scalefac[sfbi] = mad_bit_read(ptr, slen1);
+ bits_left -= slen1;
+ }
}
if (scfsi & 0x4) {
@@ -754,8 +776,12 @@ unsigned int III_scalefactors(struct mad
channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
}
else {
- for (sfbi = 6; sfbi < 11; ++sfbi)
+ for (sfbi = 6; sfbi < 11; ++sfbi) {
+ if (bits_left < slen1)
+ return MAD_ERROR_BADSCFSI;
channel->scalefac[sfbi] = mad_bit_read(ptr, slen1);
+ bits_left -= slen1;
+ }
}
if (scfsi & 0x2) {
@@ -763,8 +789,12 @@ unsigned int III_scalefactors(struct mad
channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
}
else {
- for (sfbi = 11; sfbi < 16; ++sfbi)
+ for (sfbi = 11; sfbi < 16; ++sfbi) {
+ if (bits_left < slen2)
+ return MAD_ERROR_BADSCFSI;
channel->scalefac[sfbi] = mad_bit_read(ptr, slen2);
+ bits_left -= slen2;
+ }
}
if (scfsi & 0x1) {
@@ -772,14 +802,19 @@ unsigned int III_scalefactors(struct mad
channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
}
else {
- for (sfbi = 16; sfbi < 21; ++sfbi)
+ for (sfbi = 16; sfbi < 21; ++sfbi) {
+ if (bits_left < slen2)
+ return MAD_ERROR_BADSCFSI;
channel->scalefac[sfbi] = mad_bit_read(ptr, slen2);
+ bits_left -= slen2;
+ }
}
channel->scalefac[21] = 0;
}
- return mad_bit_length(&start, ptr);
+ *part2_length = mad_bit_length(&start, ptr);
+ return MAD_ERROR_NONE;
}
/*
@@ -933,19 +968,17 @@ static
enum mad_error III_huffdecode(struct mad_bitptr *ptr, mad_fixed_t xr[576],
struct channel *channel,
unsigned char const *sfbwidth,
- unsigned int part2_length)
+ signed int part3_length)
{
signed int exponents[39], exp;
signed int const *expptr;
struct mad_bitptr peek;
- signed int bits_left, cachesz;
+ signed int bits_left, cachesz, fakebits;
register mad_fixed_t *xrptr;
mad_fixed_t const *sfbound;
register unsigned long bitcache;
- bits_left = (signed) channel->part2_3_length - (signed) part2_length;
- if (bits_left < 0)
- return MAD_ERROR_BADPART3LEN;
+ bits_left = part3_length;
III_exponents(channel, sfbwidth, exponents);
@@ -956,8 +989,12 @@ enum mad_error III_huffdecode(struct mad
cachesz = mad_bit_bitsleft(&peek);
cachesz += ((32 - 1 - 24) + (24 - cachesz)) & ~7;
+ if (bits_left < cachesz) {
+ cachesz = bits_left;
+ }
bitcache = mad_bit_read(&peek, cachesz);
bits_left -= cachesz;
+ fakebits = 0;
xrptr = &xr[0];
@@ -986,7 +1023,7 @@ enum mad_error III_huffdecode(struct mad
big_values = channel->big_values;
- while (big_values-- && cachesz + bits_left > 0) {
+ while (big_values-- && cachesz + bits_left - fakebits > 0) {
union huffpair const *pair;
unsigned int clumpsz, value;
register mad_fixed_t requantized;
@@ -1023,10 +1060,19 @@ enum mad_error III_huffdecode(struct mad
unsigned int bits;
bits = ((32 - 1 - 21) + (21 - cachesz)) & ~7;
+ if (bits_left < bits) {
+ bits = bits_left;
+ }
bitcache = (bitcache << bits) | mad_bit_read(&peek, bits);
cachesz += bits;
bits_left -= bits;
}
+ if (cachesz < 21) {
+ unsigned int bits = 21 - cachesz;
+ bitcache <<= bits;
+ cachesz += bits;
+ fakebits += bits;
+ }
/* hcod (0..19) */
@@ -1041,6 +1087,8 @@ enum mad_error III_huffdecode(struct mad
}
cachesz -= pair->value.hlen;
+ if (cachesz < fakebits)
+ return MAD_ERROR_BADHUFFDATA;
if (linbits) {
/* x (0..14) */
@@ -1054,10 +1102,15 @@ enum mad_error III_huffdecode(struct mad
case 15:
if (cachesz < linbits + 2) {
- bitcache = (bitcache << 16) | mad_bit_read(&peek, 16);
- cachesz += 16;
- bits_left -= 16;
+ unsigned int bits = 16;
+ if (bits_left < 16)
+ bits = bits_left;
+ bitcache = (bitcache << bits) | mad_bit_read(&peek, bits);
+ cachesz += bits;
+ bits_left -= bits;
}
+ if (cachesz - fakebits < linbits)
+ return MAD_ERROR_BADHUFFDATA;
value += MASK(bitcache, cachesz, linbits);
cachesz -= linbits;
@@ -1074,6 +1127,8 @@ enum mad_error III_huffdecode(struct mad
}
x_final:
+ if (cachesz - fakebits < 1)
+ return MAD_ERROR_BADHUFFDATA;
xrptr[0] = MASK1BIT(bitcache, cachesz--) ?
-requantized : requantized;
}
@@ -1089,10 +1144,15 @@ enum mad_error III_huffdecode(struct mad
case 15:
if (cachesz < linbits + 1) {
- bitcache = (bitcache << 16) | mad_bit_read(&peek, 16);
- cachesz += 16;
- bits_left -= 16;
+ unsigned int bits = 16;
+ if (bits_left < 16)
+ bits = bits_left;
+ bitcache = (bitcache << bits) | mad_bit_read(&peek, bits);
+ cachesz += bits;
+ bits_left -= bits;
}
+ if (cachesz - fakebits < linbits)
+ return MAD_ERROR_BADHUFFDATA;
value += MASK(bitcache, cachesz, linbits);
cachesz -= linbits;
@@ -1109,6 +1169,8 @@ enum mad_error III_huffdecode(struct mad
}
y_final:
+ if (cachesz - fakebits < 1)
+ return MAD_ERROR_BADHUFFDATA;
xrptr[1] = MASK1BIT(bitcache, cachesz--) ?
-requantized : requantized;
}
@@ -1128,6 +1190,8 @@ enum mad_error III_huffdecode(struct mad
requantized = reqcache[value] = III_requantize(value, exp);
}
+ if (cachesz - fakebits < 1)
+ return MAD_ERROR_BADHUFFDATA;
xrptr[0] = MASK1BIT(bitcache, cachesz--) ?
-requantized : requantized;
}
@@ -1146,6 +1210,8 @@ enum mad_error III_huffdecode(struct mad
requantized = reqcache[value] = III_requantize(value, exp);
}
+ if (cachesz - fakebits < 1)
+ return MAD_ERROR_BADHUFFDATA;
xrptr[1] = MASK1BIT(bitcache, cachesz--) ?
-requantized : requantized;
}
@@ -1155,9 +1221,6 @@ enum mad_error III_huffdecode(struct mad
}
}
- if (cachesz + bits_left < 0)
- return MAD_ERROR_BADHUFFDATA; /* big_values overrun */
-
/* count1 */
{
union huffquad const *table;
@@ -1167,15 +1230,24 @@ enum mad_error III_huffdecode(struct mad
requantized = III_requantize(1, exp);
- while (cachesz + bits_left > 0 && xrptr <= &xr[572]) {
+ while (cachesz + bits_left - fakebits > 0 && xrptr <= &xr[572]) {
union huffquad const *quad;
/* hcod (1..6) */
if (cachesz < 10) {
- bitcache = (bitcache << 16) | mad_bit_read(&peek, 16);
- cachesz += 16;
- bits_left -= 16;
+ unsigned int bits = 16;
+ if (bits_left < 16)
+ bits = bits_left;
+ bitcache = (bitcache << bits) | mad_bit_read(&peek, bits);
+ cachesz += bits;
+ bits_left -= bits;
+ }
+ if (cachesz < 10) {
+ unsigned int bits = 10 - cachesz;
+ bitcache <<= bits;
+ cachesz += bits;
+ fakebits += bits;
}
quad = &table[MASK(bitcache, cachesz, 4)];
@@ -1188,6 +1260,11 @@ enum mad_error III_huffdecode(struct mad
MASK(bitcache, cachesz, quad->ptr.bits)];
}
+ if (cachesz - fakebits < quad->value.hlen + quad->value.v
+ + quad->value.w + quad->value.x + quad->value.y)
+ /* We don't have enough bits to read one more entry, consider them
+ * stuffing bits. */
+ break;
cachesz -= quad->value.hlen;
if (xrptr == sfbound) {
@@ -1236,22 +1313,8 @@ enum mad_error III_huffdecode(struct mad
xrptr += 2;
}
-
- if (cachesz + bits_left < 0) {
-# if 0 && defined(DEBUG)
- fprintf(stderr, "huffman count1 overrun (%d bits)\n",
- -(cachesz + bits_left));
-# endif
-
- /* technically the bitstream is misformatted, but apparently
- some encoders are just a bit sloppy with stuffing bits */
-
- xrptr -= 4;
- }
}
- assert(-bits_left <= MAD_BUFFER_GUARD * CHAR_BIT);
-
# if 0 && defined(DEBUG)
if (bits_left < 0)
fprintf(stderr, "read %d bits too many\n", -bits_left);
@@ -2348,10 +2411,11 @@ void III_freqinver(mad_fixed_t sample[18
*/
static
enum mad_error III_decode(struct mad_bitptr *ptr, struct mad_frame *frame,
- struct sideinfo *si, unsigned int nch)
+ struct sideinfo *si, unsigned int nch, unsigned int md_len)
{
struct mad_header *header = &frame->header;
unsigned int sfreqi, ngr, gr;
+ int bits_left = md_len * CHAR_BIT;
{
unsigned int sfreq;
@@ -2383,6 +2447,7 @@ enum mad_error III_decode(struct mad_bit
for (ch = 0; ch < nch; ++ch) {
struct channel *channel = &granule->ch[ch];
unsigned int part2_length;
+ unsigned int part3_length;
sfbwidth[ch] = sfbwidth_table[sfreqi].l;
if (channel->block_type == 2) {
@@ -2391,18 +2456,30 @@ enum mad_error III_decode(struct mad_bit
}
if (header->flags & MAD_FLAG_LSF_EXT) {
- part2_length = III_scalefactors_lsf(ptr, channel,
+ error = III_scalefactors_lsf(ptr, channel,
ch == 0 ? 0 : &si->gr[1].ch[1],
- header->mode_extension);
+ header->mode_extension, bits_left, &part2_length);
}
else {
- part2_length = III_scalefactors(ptr, channel, &si->gr[0].ch[ch],
- gr == 0 ? 0 : si->scfsi[ch]);
+ error = III_scalefactors(ptr, channel, &si->gr[0].ch[ch],
+ gr == 0 ? 0 : si->scfsi[ch], bits_left, &part2_length);
}
+ if (error)
+ return error;
+
+ bits_left -= part2_length;
- error = III_huffdecode(ptr, xr[ch], channel, sfbwidth[ch], part2_length);
+ if (part2_length > channel->part2_3_length)
+ return MAD_ERROR_BADPART3LEN;
+
+ part3_length = channel->part2_3_length - part2_length;
+ if (part3_length > bits_left)
+ return MAD_ERROR_BADPART3LEN;
+
+ error = III_huffdecode(ptr, xr[ch], channel, sfbwidth[ch], part3_length);
if (error)
return error;
+ bits_left -= part3_length;
}
/* joint stereo processing */
@@ -2519,11 +2596,13 @@ int mad_layer_III(struct mad_stream *str
unsigned int nch, priv_bitlen, next_md_begin = 0;
unsigned int si_len, data_bitlen, md_len;
unsigned int frame_space, frame_used, frame_free;
- struct mad_bitptr ptr;
+ struct mad_bitptr ptr, bufend_ptr;
struct sideinfo si;
enum mad_error error;
int result = 0;
+ mad_bit_init(&bufend_ptr, stream->bufend);
+
/* allocate Layer III dynamic structures */
if (stream->main_data == 0) {
@@ -2587,14 +2666,15 @@ int mad_layer_III(struct mad_stream *str
unsigned long header;
mad_bit_init(&peek, stream->next_frame);
+ if (mad_bit_length(&peek, &bufend_ptr) >= 57) {
+ header = mad_bit_read(&peek, 32);
+ if ((header & 0xffe60000L) /* syncword | layer */ == 0xffe20000L) {
+ if (!(header & 0x00010000L)) /* protection_bit */
+ mad_bit_skip(&peek, 16); /* crc_check */
- header = mad_bit_read(&peek, 32);
- if ((header & 0xffe60000L) /* syncword | layer */ == 0xffe20000L) {
- if (!(header & 0x00010000L)) /* protection_bit */
- mad_bit_skip(&peek, 16); /* crc_check */
-
- next_md_begin =
- mad_bit_read(&peek, (header & 0x00080000L) /* ID */ ? 9 : 8);
+ next_md_begin =
+ mad_bit_read(&peek, (header & 0x00080000L) /* ID */ ? 9 : 8);
+ }
}
mad_bit_finish(&peek);
@@ -2653,7 +2733,7 @@ int mad_layer_III(struct mad_stream *str
/* decode main_data */
if (result == 0) {
- error = III_decode(&ptr, frame, &si, nch);
+ error = III_decode(&ptr, frame, &si, nch, md_len);
if (error) {
stream->error = error;
result = -1;

View File

@ -1,193 +0,0 @@
; You can calculate where the next frame will start depending on things
; like the bitrate. See mad_header_decode(). It seems that when decoding
; the frame you can go past that boundary. This attempts to catch those cases,
; but might not catch all of them.
; For more info see http://bugs.debian.org/508133
--- layer12.c 2008-12-23 21:38:07.000000000 +0100
+++ layer12.c 2008-12-23 21:38:12.000000000 +0100
@@ -134,6 +134,12 @@
for (sb = 0; sb < bound; ++sb) {
for (ch = 0; ch < nch; ++ch) {
nb = mad_bit_read(&stream->ptr, 4);
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+ {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
if (nb == 15) {
stream->error = MAD_ERROR_BADBITALLOC;
@@ -146,6 +152,12 @@
for (sb = bound; sb < 32; ++sb) {
nb = mad_bit_read(&stream->ptr, 4);
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+ {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
if (nb == 15) {
stream->error = MAD_ERROR_BADBITALLOC;
@@ -162,6 +174,12 @@
for (ch = 0; ch < nch; ++ch) {
if (allocation[ch][sb]) {
scalefactor[ch][sb] = mad_bit_read(&stream->ptr, 6);
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+ {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
# if defined(OPT_STRICT)
/*
@@ -187,6 +205,12 @@
frame->sbsample[ch][s][sb] = nb ?
mad_f_mul(I_sample(&stream->ptr, nb),
sf_table[scalefactor[ch][sb]]) : 0;
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+ {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
}
}
@@ -195,6 +219,12 @@
mad_fixed_t sample;
sample = I_sample(&stream->ptr, nb);
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+ {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
for (ch = 0; ch < nch; ++ch) {
frame->sbsample[ch][s][sb] =
@@ -403,7 +433,15 @@
nbal = bitalloc_table[offsets[sb]].nbal;
for (ch = 0; ch < nch; ++ch)
+ {
allocation[ch][sb] = mad_bit_read(&stream->ptr, nbal);
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+ {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
+ }
}
for (sb = bound; sb < sblimit; ++sb) {
@@ -411,6 +449,13 @@
allocation[0][sb] =
allocation[1][sb] = mad_bit_read(&stream->ptr, nbal);
+
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+ {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
}
/* decode scalefactor selection info */
@@ -419,6 +464,12 @@
for (ch = 0; ch < nch; ++ch) {
if (allocation[ch][sb])
scfsi[ch][sb] = mad_bit_read(&stream->ptr, 2);
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+ {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
}
}
@@ -442,6 +493,12 @@
for (ch = 0; ch < nch; ++ch) {
if (allocation[ch][sb]) {
scalefactor[ch][sb][0] = mad_bit_read(&stream->ptr, 6);
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+ {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
switch (scfsi[ch][sb]) {
case 2:
@@ -452,11 +509,23 @@
case 0:
scalefactor[ch][sb][1] = mad_bit_read(&stream->ptr, 6);
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+ {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
/* fall through */
case 1:
case 3:
scalefactor[ch][sb][2] = mad_bit_read(&stream->ptr, 6);
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+ {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
}
if (scfsi[ch][sb] & 1)
@@ -488,6 +557,12 @@
index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
II_samples(&stream->ptr, &qc_table[index], samples);
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+ {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
for (s = 0; s < 3; ++s) {
frame->sbsample[ch][3 * gr + s][sb] =
@@ -506,6 +581,12 @@
index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
II_samples(&stream->ptr, &qc_table[index], samples);
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+ {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
for (ch = 0; ch < nch; ++ch) {
for (s = 0; s < 3; ++s) {
--- layer3.c 2008-12-23 21:38:07.000000000 +0100
+++ layer3.c 2008-12-23 21:38:12.000000000 +0100
@@ -2608,6 +2608,12 @@
next_md_begin = 0;
md_len = si.main_data_begin + frame_space - next_md_begin;
+ if (md_len + MAD_BUFFER_GUARD > MAD_BUFFER_MDLEN)
+ {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
frame_used = 0;

View File

@ -1,7 +1,7 @@
# Template file for 'libmad'
pkgname=libmad
version=0.15.1b
revision=9
revision=10
build_style=gnu-configure
hostmakedepends="automake pkg-config"
short_desc="High-quality MPEG audio decoder"