--- libmad-0.15.1b/bit.c.p4 2019-02-03 13:48:26.664137989 +0200
+++ libmad-0.15.1b/bit.c 2019-02-03 13:48:26.669137936 +0200
@@ -149,6 +149,9 @@
{
register unsigned long value;
+ if (len == 0)
+ return 0;
+
if (bitptr->left == CHAR_BIT)
bitptr->cache = *bitptr->byte;
--- libmad-0.15.1b/frame.c.p4 2019-02-03 13:48:26.664137989 +0200
+++ libmad-0.15.1b/frame.c 2019-02-03 13:48:26.670137925 +0200
@@ -120,11 +120,18 @@
int decode_header(struct mad_header *header, struct mad_stream *stream)
{
unsigned int index;
+ struct mad_bitptr bufend_ptr;
header->flags = 0;
header->private_bits = 0;
+ mad_bit_init(&bufend_ptr, stream->bufend);
+
/* header() */
+ if (mad_bit_length(&stream->ptr, &bufend_ptr) < 32) {
+ stream->error = MAD_ERROR_BUFLEN;
+ return -1;
+ }
/* syncword */
mad_bit_w_len_skip(stream->l_ptr, 11);
@@ -225,8 +232,13 @@
/* error_check() */
/* crc_check */
- if (header->flags & MAD_FLAG_PROTECTION)
+ if (header->flags & MAD_FLAG_PROTECTION) {
+ if (mad_bit_length(&stream->ptr, &bufend_ptr) < 16) {
+ stream->error = MAD_ERROR_BUFLEN;
+ return -1;
+ }
header->crc_target = mad_bit_w_len_read(stream->l_ptr, 16);
+ }
return 0;
}
@@ -338,7 +350,7 @@
stream->error = MAD_ERROR_BUFLEN;
goto fail;
}
- else if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
+ else if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
/* mark point where frame sync word was expected */
stream->this_frame = ptr;
stream->next_frame = ptr + 1;
@@ -361,6 +373,8 @@
ptr = mad_bit_w_len_nextbyte(stream->l_ptr);
}
+ stream->error = MAD_ERROR_NONE;
+
/* begin processing */
stream->this_frame = ptr;
stream->next_frame = ptr + 1; /* possibly bogus sync word */
@@ -413,7 +427,7 @@
/* check that a valid frame header follows this frame */
ptr = stream->next_frame;
- if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
+ if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
ptr = stream->next_frame = stream->this_frame + 1;
goto sync;
}
--- libmad-0.15.1b/layer12.c.p4 2019-02-03 13:48:26.667137957 +0200
+++ libmad-0.15.1b/layer12.c 2019-02-03 13:53:05.763143748 +0200
@@ -72,10 +72,18 @@
* DESCRIPTION: decode one requantized Layer I sample from a bitstream
*/
static
-mad_fixed_t I_sample(struct mad_bit_w_lenptr *ptr, unsigned int nb)
+mad_fixed_t I_sample(struct mad_bit_w_lenptr *ptr, unsigned int nb, struct mad_stream *stream)
{
mad_fixed_t sample;
+ struct mad_bit_w_lenptr frameend_ptr;
+ mad_bit_w_len_init(&frameend_ptr, stream->next_frame, 0);
+
+ if (mad_bit_w_len_length(ptr, &frameend_ptr) < nb) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return 0;
+ }
sample = mad_bit_w_len_read(ptr, nb);
/* invert most significant bit, extend sign, then scale to fixed format */
@@ -106,6 +114,10 @@
struct mad_header *header = &frame->header;
unsigned int nch, bound, ch, s, sb, nb;
unsigned char allocation[2][32], scalefactor[2][32];
+ struct mad_bit_w_lenptr bufend_ptr, frameend_ptr;
+
+ mad_bit_w_len_init(&bufend_ptr, stream->bufend, 0);
+ mad_bit_w_len_init(&frameend_ptr, stream->next_frame, 0);
nch = MAD_NCHANNELS(header);
@@ -118,6 +130,11 @@
/* check CRC word */
if (header->flags & MAD_FLAG_PROTECTION) {
+ if (mad_bit_w_len_length(stream->l_ptr, &bufend_ptr)
+ < 4 * (bound * nch + (32 - bound))) {
+ stream->error = MAD_ERROR_BADCRC;
+ return -1;
+ }
header->crc_check =
mad_bit_w_len_crc(*stream->l_ptr, 4 * (bound * nch + (32 - bound)),
header->crc_check);
@@ -133,8 +150,13 @@
for (sb = 0; sb < bound; ++sb) {
for (ch = 0; ch < nch; ++ch) {
+ if (mad_bit_w_len_length(stream->l_ptr, &frameend_ptr) < 4) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
nb = mad_bit_w_len_read(stream->l_ptr, 4);
- if (mad_bit_nextbyte(stream->l_ptr) > stream->next_frame)
+ if (mad_bit_w_len_nextbyte(stream->l_ptr) > stream->next_frame)
{
stream->error = MAD_ERROR_LOSTSYNC;
stream->sync = 0;
@@ -151,8 +173,13 @@
}
for (sb = bound; sb < 32; ++sb) {
+ if (mad_bit_w_len_length(stream->l_ptr, &frameend_ptr) < 4) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
nb = mad_bit_w_len_read(stream->l_ptr, 4);
- if (mad_bit_nextbyte(stream->l_ptr) > stream->next_frame)
+ if (mad_bit_w_len_nextbyte(stream->l_ptr) > stream->next_frame)
{
stream->error = MAD_ERROR_LOSTSYNC;
stream->sync = 0;
@@ -173,8 +200,13 @@
for (sb = 0; sb < 32; ++sb) {
for (ch = 0; ch < nch; ++ch) {
if (allocation[ch][sb]) {
+ if (mad_bit_w_len_length(stream->l_ptr, &frameend_ptr) < 6) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
scalefactor[ch][sb] = mad_bit_w_len_read(stream->l_ptr, 6);
- if (mad_bit_nextbyte(stream->l_ptr) > stream->next_frame)
+ if (mad_bit_w_len_nextbyte(stream->l_ptr) > stream->next_frame)
{
stream->error = MAD_ERROR_LOSTSYNC;
stream->sync = 0;
@@ -203,9 +235,11 @@
for (ch = 0; ch < nch; ++ch) {
nb = allocation[ch][sb];
frame->sbsample[ch][s][sb] = nb ?
- mad_f_mul(I_sample(stream->l_ptr, nb),
+ mad_f_mul(I_sample(stream->l_ptr, nb, stream),
sf_table[scalefactor[ch][sb]]) : 0;
- if (mad_bit_nextbyte(stream->l_ptr) > stream->next_frame)
+ if (stream->error != 0)
+ return -1;
+ if (mad_bit_w_len_nextbyte(stream->l_ptr) > stream->next_frame)
{
stream->error = MAD_ERROR_LOSTSYNC;
stream->sync = 0;
@@ -218,8 +252,15 @@
if ((nb = allocation[0][sb])) {
mad_fixed_t sample;
- sample = I_sample(stream->l_ptr, nb);
- if (mad_bit_nextbyte(stream->l_ptr) > stream->next_frame)
+ if (mad_bit_w_len_length(stream->l_ptr, &frameend_ptr) < nb) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
+ sample = I_sample(stream->l_ptr, nb, stream);
+ if (stream->error != 0)
+ return -1;
+ if (mad_bit_w_len_nextbyte(stream->l_ptr) > stream->next_frame)
{
stream->error = MAD_ERROR_LOSTSYNC;
stream->sync = 0;
@@ -310,13 +351,21 @@
static
void II_samples(struct mad_bit_w_lenptr *ptr,
struct quantclass const *quantclass,
- mad_fixed_t output[3])
+ mad_fixed_t output[3], struct mad_stream *stream)
{
unsigned int nb, s, sample[3];
+ struct mad_bit_w_lenptr frameend_ptr;
+
+ mad_bit_w_len_init(&frameend_ptr, stream->next_frame, 0);
if ((nb = quantclass->group)) {
unsigned int c, nlevels;
+ if (mad_bit_w_len_length(ptr, &frameend_ptr) < quantclass->bits) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return;
+ }
/* degrouping */
c = mad_bit_w_len_read(ptr, quantclass->bits);
nlevels = quantclass->nlevels;
@@ -329,8 +378,14 @@
else {
nb = quantclass->bits;
- for (s = 0; s < 3; ++s)
+ for (s = 0; s < 3; ++s) {
+ if (mad_bit_w_len_length(ptr, &frameend_ptr) < nb) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return;
+ }
sample[s] = mad_bit_w_len_read(ptr, nb);
+ }
}
for (s = 0; s < 3; ++s) {
@@ -366,6 +421,9 @@
unsigned char const *offsets;
unsigned char allocation[2][32], scfsi[2][32], scalefactor[2][32][3];
mad_fixed_t samples[3];
+ struct mad_bit_w_lenptr frameend_ptr;
+
+ mad_bit_w_len_init(&frameend_ptr, stream->next_frame, 0);
nch = MAD_NCHANNELS(header);
@@ -434,8 +492,13 @@
for (ch = 0; ch < nch; ++ch)
{
+ if (mad_bit_w_len_length(stream->l_ptr, &frameend_ptr) < nbal) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
allocation[ch][sb] = mad_bit_w_len_read(stream->l_ptr, nbal);
- if (mad_bit_nextbyte(stream->l_ptr) > stream->next_frame)
+ if (mad_bit_w_len_nextbyte(stream->l_ptr) > stream->next_frame)
{
stream->error = MAD_ERROR_LOSTSYNC;
stream->sync = 0;
@@ -446,11 +509,16 @@
for (sb = bound; sb < sblimit; ++sb) {
nbal = bitalloc_table[offsets[sb]].nbal;
+ if (mad_bit_w_len_length(stream->l_ptr, &frameend_ptr) < nbal) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
allocation[0][sb] =
allocation[1][sb] = mad_bit_w_len_read(stream->l_ptr, nbal);
- if (mad_bit_nextbyte(stream->l_ptr) > stream->next_frame)
+ if (mad_bit_w_len_nextbyte(stream->l_ptr) > stream->next_frame)
{
stream->error = MAD_ERROR_LOSTSYNC;
stream->sync = 0;
@@ -462,9 +530,15 @@
for (sb = 0; sb < sblimit; ++sb) {
for (ch = 0; ch < nch; ++ch) {
- if (allocation[ch][sb])
+ if (allocation[ch][sb]) {
+ if (mad_bit_w_len_length(stream->l_ptr, &frameend_ptr) < 2) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
scfsi[ch][sb] = mad_bit_w_len_read(stream->l_ptr, 2);
- if (mad_bit_nextbyte(stream->l_ptr) > stream->next_frame)
+ }
+ if (mad_bit_w_len_nextbyte(stream->l_ptr) > stream->next_frame)
{
stream->error = MAD_ERROR_LOSTSYNC;
stream->sync = 0;
@@ -492,8 +566,13 @@
for (sb = 0; sb < sblimit; ++sb) {
for (ch = 0; ch < nch; ++ch) {
if (allocation[ch][sb]) {
+ if (mad_bit_w_len_length(stream->l_ptr, &frameend_ptr) < 6) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
scalefactor[ch][sb][0] = mad_bit_w_len_read(stream->l_ptr, 6);
- if (mad_bit_nextbyte(stream->l_ptr) > stream->next_frame)
+ if (mad_bit_w_len_nextbyte(stream->l_ptr) > stream->next_frame)
{
stream->error = MAD_ERROR_LOSTSYNC;
stream->sync = 0;
@@ -508,8 +587,13 @@
break;
case 0:
+ if (mad_bit_w_len_length(stream->l_ptr, &frameend_ptr) < 6) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
scalefactor[ch][sb][1] = mad_bit_w_len_read(stream->l_ptr, 6);
- if (mad_bit_nextbyte(stream->l_ptr) > stream->next_frame)
+ if (mad_bit_w_len_nextbyte(stream->l_ptr) > stream->next_frame)
{
stream->error = MAD_ERROR_LOSTSYNC;
stream->sync = 0;
@@ -519,8 +603,13 @@
case 1:
case 3:
+ if (mad_bit_w_len_length(stream->l_ptr, &frameend_ptr) < 6) {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
scalefactor[ch][sb][2] = mad_bit_w_len_read(stream->l_ptr, 6);
- if (mad_bit_nextbyte(stream->l_ptr) > stream->next_frame)
+ if (mad_bit_w_len_nextbyte(stream->l_ptr) > stream->next_frame)
{
stream->error = MAD_ERROR_LOSTSYNC;
stream->sync = 0;
@@ -556,8 +645,10 @@
if ((index = allocation[ch][sb])) {
index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
- II_samples(stream->l_ptr, &qc_table[index], samples);
- if (mad_bit_nextbyte(stream->l_ptr) > stream->next_frame)
+ II_samples(stream->l_ptr, &qc_table[index], samples, stream);
+ if (stream->error != 0)
+ return -1;
+ if (mad_bit_w_len_nextbyte(stream->l_ptr) > stream->next_frame)
{
stream->error = MAD_ERROR_LOSTSYNC;
stream->sync = 0;
@@ -580,8 +671,10 @@
if ((index = allocation[0][sb])) {
index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
- II_samples(stream->l_ptr, &qc_table[index], samples);
- if (mad_bit_nextbyte(stream->l_ptr) > stream->next_frame)
+ II_samples(stream->l_ptr, &qc_table[index], samples, stream);
+ if (stream->error != 0)
+ return -1;
+ if (mad_bit_w_len_nextbyte(stream->l_ptr) > stream->next_frame)
{
stream->error = MAD_ERROR_LOSTSYNC;
stream->sync = 0;
--- libmad-0.15.1b/layer3.c.p4 2019-02-03 13:48:26.668137947 +0200
+++ libmad-0.15.1b/layer3.c 2019-02-03 13:48:26.671137914 +0200
@@ -598,7 +598,8 @@
static
unsigned int III_scalefactors_lsf(struct mad_bit_w_lenptr *ptr,
struct channel *channel,
- struct channel *gr1ch, int mode_extension)
+ struct channel *gr1ch, int mode_extension,
+ unsigned int bits_left, unsigned int *part2_length)
{
struct mad_bit_w_lenptr start;
unsigned int scalefac_compress, index, slen[4], part, n, i;
@@ -644,8 +645,12 @@
n = 0;
for (part = 0; part < 4; ++part) {
- for (i = 0; i < nsfb[part]; ++i)
+ for (i = 0; i < nsfb[part]; ++i) {
+ if (bits_left < slen[part])
+ return MAD_ERROR_BADSCFSI;
channel->scalefac[n++] = mad_bit_w_len_read(ptr, slen[part]);
+ bits_left -= slen[part];
+ }
}
while (n < 39)
@@ -690,7 +695,10 @@
max = (1 << slen[part]) - 1;
for (i = 0; i < nsfb[part]; ++i) {
+ if (bits_left < slen[part])
+ return MAD_ERROR_BADSCFSI;
is_pos = mad_bit_w_len_read(ptr, slen[part]);
+ bits_left -= slen[part];
channel->scalefac[n] = is_pos;
gr1ch->scalefac[n++] = (is_pos == max);
@@ -703,7 +711,8 @@
}
}
- return mad_bit_w_len_length(&start, ptr);
+ *part2_length = mad_bit_w_len_length(&start, ptr);
+ return MAD_ERROR_NONE;
}
/*
@@ -712,7 +721,8 @@
*/
static
unsigned int III_scalefactors(struct mad_bit_w_lenptr *ptr, struct channel *channel,
- struct channel const *gr0ch, unsigned int scfsi)
+ struct channel const *gr0ch, unsigned int scfsi,
+ unsigned int bits_left, unsigned int *part2_length)
{
struct mad_bit_w_lenptr start;
unsigned int slen1, slen2, sfbi;
@@ -728,12 +738,20 @@
sfbi = 0;
nsfb = (channel->flags & mixed_block_flag) ? 8 + 3 * 3 : 6 * 3;
- while (nsfb--)
+ while (nsfb--) {
+ if (bits_left < slen1)
+ return MAD_ERROR_BADSCFSI;
channel->scalefac[sfbi++] = mad_bit_w_len_read(ptr, slen1);
+ bits_left -= slen1;
+ }
nsfb = 6 * 3;
- while (nsfb--)
+ while (nsfb--) {
+ if (bits_left < slen2)
+ return MAD_ERROR_BADSCFSI;
channel->scalefac[sfbi++] = mad_bit_w_len_read(ptr, slen2);
+ bits_left -= slen2;
+ }
nsfb = 1 * 3;
while (nsfb--)
@@ -745,8 +763,12 @@
channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
}
else {
- for (sfbi = 0; sfbi < 6; ++sfbi)
+ for (sfbi = 0; sfbi < 6; ++sfbi) {
+ if (bits_left < slen1)
+ return MAD_ERROR_BADSCFSI;
channel->scalefac[sfbi] = mad_bit_w_len_read(ptr, slen1);
+ bits_left -= slen1;
+ }
}
if (scfsi & 0x4) {
@@ -754,8 +776,12 @@
channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
}
else {
- for (sfbi = 6; sfbi < 11; ++sfbi)
+ for (sfbi = 6; sfbi < 11; ++sfbi) {
+ if (bits_left < slen1)
+ return MAD_ERROR_BADSCFSI;
channel->scalefac[sfbi] = mad_bit_w_len_read(ptr, slen1);
+ bits_left -= slen1;
+ }
}
if (scfsi & 0x2) {
@@ -763,8 +789,12 @@
channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
}
else {
- for (sfbi = 11; sfbi < 16; ++sfbi)
+ for (sfbi = 11; sfbi < 16; ++sfbi) {
+ if (bits_left < slen2)
+ return MAD_ERROR_BADSCFSI;
channel->scalefac[sfbi] = mad_bit_w_len_read(ptr, slen2);
+ bits_left -= slen2;
+ }
}
if (scfsi & 0x1) {
@@ -772,14 +802,19 @@
channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
}
else {
- for (sfbi = 16; sfbi < 21; ++sfbi)
+ for (sfbi = 16; sfbi < 21; ++sfbi) {
+ if (bits_left < slen2)
+ return MAD_ERROR_BADSCFSI;
channel->scalefac[sfbi] = mad_bit_w_len_read(ptr, slen2);
+ bits_left -= slen2;
+ }
}
channel->scalefac[21] = 0;
}
- return mad_bit_w_len_length(&start, ptr);
+ *part2_length = mad_bit_w_len_length(&start, ptr);
+ return MAD_ERROR_NONE;
}
/*
@@ -933,19 +968,17 @@
enum mad_error III_huffdecode(struct mad_bit_w_lenptr *ptr, mad_fixed_t xr[576],
struct channel *channel,
unsigned char const *sfbwidth,
- unsigned int part2_length)
+ signed int part3_length)
{
signed int exponents[39], exp;
signed int const *expptr;
struct mad_bit_w_lenptr peek;
- signed int bits_left, cachesz;
+ signed int bits_left, cachesz, fakebits;
register mad_fixed_t *xrptr;
mad_fixed_t const *sfbound;
register unsigned long bitcache;
- bits_left = (signed) channel->part2_3_length - (signed) part2_length;
- if (bits_left < 0)
- return MAD_ERROR_BADPART3LEN;
+ bits_left = part3_length;
III_exponents(channel, sfbwidth, exponents);
@@ -956,8 +989,12 @@
cachesz = mad_bit_w_len_bitsleft(&peek);
cachesz += ((32 - 1 - 24) + (24 - cachesz)) & ~7;
+ if (bits_left < cachesz) {
+ cachesz = bits_left;
+ }
bitcache = mad_bit_w_len_read(&peek, cachesz);
bits_left -= cachesz;
+ fakebits = 0;
xrptr = &xr[0];
@@ -986,7 +1023,7 @@
big_values = channel->big_values;
- while (big_values-- && cachesz + bits_left > 0) {
+ while (big_values-- && cachesz + bits_left - fakebits > 0) {
union huffpair const *pair;
unsigned int clumpsz, value;
register mad_fixed_t requantized;
@@ -1023,10 +1060,19 @@
unsigned int bits;
bits = ((32 - 1 - 21) + (21 - cachesz)) & ~7;
+ if (bits_left < bits) {
+ bits = bits_left;
+ }
bitcache = (bitcache << bits) | mad_bit_w_len_read(&peek, bits);
cachesz += bits;
bits_left -= bits;
}
+ if (cachesz < 21) {
+ unsigned int bits = 21 - cachesz;
+ bitcache <<= bits;
+ cachesz += bits;
+ fakebits += bits;
+ }
/* hcod (0..19) */
@@ -1041,6 +1087,8 @@
}
cachesz -= pair->value.hlen;
+ if (cachesz < fakebits)
+ return MAD_ERROR_BADHUFFDATA;
if (linbits) {
/* x (0..14) */
@@ -1054,10 +1102,15 @@
case 15:
if (cachesz < linbits + 2) {
- bitcache = (bitcache << 16) | mad_bit_w_len_read(&peek, 16);
- cachesz += 16;
- bits_left -= 16;
- }
+ unsigned int bits = 16;
+ if (bits_left < 16)
+ bits = bits_left;
+ bitcache = (bitcache << bits) | mad_bit_w_len_read(&peek, bits);
+ cachesz += bits;
+ bits_left -= bits;
+ }
+ if (cachesz - fakebits < linbits)
+ return MAD_ERROR_BADHUFFDATA;
value += MASK(bitcache, cachesz, linbits);
cachesz -= linbits;
@@ -1074,6 +1127,8 @@
}
x_final:
+ if (cachesz - fakebits < 1)
+ return MAD_ERROR_BADHUFFDATA;
xrptr[0] = MASK1BIT(bitcache, cachesz--) ?
-requantized : requantized;
}
@@ -1089,11 +1144,15 @@
case 15:
if (cachesz < linbits + 1) {
- bitcache = (bitcache << 16) | mad_bit_w_len_read(&peek, 16);
- cachesz += 16;
- bits_left -= 16;
+ unsigned int bits = 16;
+ if (bits_left < 16)
+ bits = bits_left;
+ bitcache = (bitcache << bits) | mad_bit_w_len_read(&peek, bits);
+ cachesz += bits;
+ bits_left -= bits;
}
-
+ if (cachesz - fakebits < linbits)
+ return MAD_ERROR_BADHUFFDATA;
value += MASK(bitcache, cachesz, linbits);
cachesz -= linbits;
@@ -1109,6 +1168,8 @@
}
y_final:
+ if (cachesz - fakebits < 1)
+ return MAD_ERROR_BADHUFFDATA;
xrptr[1] = MASK1BIT(bitcache, cachesz--) ?
-requantized : requantized;
}
@@ -1128,6 +1189,8 @@
requantized = reqcache[value] = III_requantize(value, exp);
}
+ if (cachesz - fakebits < 1)
+ return MAD_ERROR_BADHUFFDATA;
xrptr[0] = MASK1BIT(bitcache, cachesz--) ?
-requantized : requantized;
}
@@ -1146,6 +1209,8 @@
requantized = reqcache[value] = III_requantize(value, exp);
}
+ if (cachesz - fakebits < 1)
+ return MAD_ERROR_BADHUFFDATA;
xrptr[1] = MASK1BIT(bitcache, cachesz--) ?
-requantized : requantized;
}
@@ -1155,9 +1220,6 @@
}
}
- if (cachesz + bits_left < 0)
- return MAD_ERROR_BADHUFFDATA; /* big_values overrun */
-
/* count1 */
{
union huffquad const *table;
@@ -1167,16 +1229,25 @@
requantized = III_requantize(1, exp);
- while (cachesz + bits_left > 0 && xrptr <= &xr[572]) {
+ while (cachesz + bits_left - fakebits > 0 && xrptr <= &xr[572]) {
union huffquad const *quad;
/* hcod (1..6) */
if (cachesz < 10) {
- bitcache = (bitcache << 16) | mad_bit_w_len_read(&peek, 16);
- cachesz += 16;
- bits_left -= 16;
+ unsigned int bits = 16;
+ if (bits_left < 16)
+ bits = bits_left;
+ bitcache = (bitcache << bits) | mad_bit_w_len_read(&peek, bits);
+ cachesz += bits;
+ bits_left -= bits;
}
+ if (cachesz < 10) {
+ unsigned int bits = 10 - cachesz;
+ bitcache <<= bits;
+ cachesz += bits;
+ fakebits += bits;
+ }
quad = &table[MASK(bitcache, cachesz, 4)];
@@ -1188,6 +1259,11 @@
MASK(bitcache, cachesz, quad->ptr.bits)];
}
+ if (cachesz - fakebits < quad->value.hlen + quad->value.v
+ + quad->value.w + quad->value.x + quad->value.y)
+ /* We don't have enough bits to read one more entry, consider them
+ * stuffing bits. */
+ break;
cachesz -= quad->value.hlen;
if (xrptr == sfbound) {
@@ -1236,22 +1312,8 @@
xrptr += 2;
}
-
- if (cachesz + bits_left < 0) {
-# if 0 && defined(DEBUG)
- fprintf(stderr, "huffman count1 overrun (%d bits)\n",
- -(cachesz + bits_left));
-# endif
-
- /* technically the bitstream is misformatted, but apparently
- some encoders are just a bit sloppy with stuffing bits */
-
- xrptr -= 4;
- }
}
- assert(-bits_left <= MAD_BUFFER_GUARD * CHAR_BIT);
-
# if 0 && defined(DEBUG)
if (bits_left < 0)
fprintf(stderr, "read %d bits too many\n", -bits_left);
@@ -2348,10 +2410,11 @@
*/
static
enum mad_error III_decode(struct mad_bit_w_lenptr *ptr, struct mad_frame *frame,
- struct sideinfo *si, unsigned int nch)
+ struct sideinfo *si, unsigned int nch, unsigned int md_len)
{
struct mad_header *header = &frame->header;
unsigned int sfreqi, ngr, gr;
+ int bits_left = md_len * CHAR_BIT;
{
unsigned int sfreq;
@@ -2383,6 +2446,7 @@
for (ch = 0; ch < nch; ++ch) {
struct channel *channel = &granule->ch[ch];
unsigned int part2_length;
+ unsigned int part3_length;
sfbwidth[ch] = sfbwidth_table[sfreqi].l;
if (channel->block_type == 2) {
@@ -2391,18 +2455,30 @@
}
if (header->flags & MAD_FLAG_LSF_EXT) {
- part2_length = III_scalefactors_lsf(ptr, channel,
+ error = III_scalefactors_lsf(ptr, channel,
ch == 0 ? 0 : &si->gr[1].ch[1],
- header->mode_extension);
+ header->mode_extension, bits_left, &part2_length);
}
else {
- part2_length = III_scalefactors(ptr, channel, &si->gr[0].ch[ch],
- gr == 0 ? 0 : si->scfsi[ch]);
+ error = III_scalefactors(ptr, channel, &si->gr[0].ch[ch],
+ gr == 0 ? 0 : si->scfsi[ch], bits_left, &part2_length);
}
+ if (error)
+ return error;
+
+ bits_left -= part2_length;
- error = III_huffdecode(ptr, xr[ch], channel, sfbwidth[ch], part2_length);
+ if (part2_length > channel->part2_3_length)
+ return MAD_ERROR_BADPART3LEN;
+
+ part3_length = channel->part2_3_length - part2_length;
+ if (part3_length > bits_left)
+ return MAD_ERROR_BADPART3LEN;
+
+ error = III_huffdecode(ptr, xr[ch], channel, sfbwidth[ch], part3_length);
if (error)
return error;
+ bits_left -= part3_length;
}
/* joint stereo processing */
@@ -2519,11 +2595,13 @@
unsigned int nch, priv_bitlen, next_md_begin = 0;
unsigned int si_len, data_bitlen, md_len;
unsigned int frame_space, frame_used, frame_free;
- struct mad_bit_w_lenptr ptr;
+ struct mad_bit_w_lenptr ptr, bufend_ptr;
struct sideinfo si;
enum mad_error error;
int result = 0;
+ mad_bit_w_len_init(&bufend_ptr, stream->bufend, 0);
+
/* allocate Layer III dynamic structures */
if (stream->main_data == 0) {
@@ -2587,14 +2665,15 @@
unsigned long header;
mad_bit_w_len_init(&peek, stream->next_frame, stream->bufend - stream->next_frame);
+ if (mad_bit_w_len_length(&peek, &bufend_ptr) >= 57) {
+ header = mad_bit_w_len_read(&peek, 32);
+ if ((header & 0xffe60000L) /* syncword | layer */ == 0xffe20000L) {
+ if (!(header & 0x00010000L)) /* protection_bit */
+ mad_bit_w_len_skip(&peek, 16); /* crc_check */
- header = mad_bit_w_len_read(&peek, 32);
- if ((header & 0xffe60000L) /* syncword | layer */ == 0xffe20000L) {
- if (!(header & 0x00010000L)) /* protection_bit */
- mad_bit_w_len_skip(&peek, 16); /* crc_check */
-
- next_md_begin =
- mad_bit_w_len_read(&peek, (header & 0x00080000L) /* ID */ ? 9 : 8);
+ next_md_begin =
+ mad_bit_w_len_read(&peek, (header & 0x00080000L) /* ID */ ? 9 : 8);
+ }
}
mad_bit_w_len_finish(&peek);
@@ -2651,7 +2730,7 @@
/* decode main_data */
if (result == 0) {
- error = III_decode(&ptr, frame, &si, nch);
+ error = III_decode(&ptr, frame, &si, nch, md_len);
if (error) {
stream->error = error;
result = -1;
distrib
>
Mageia
>
6
>
armv7hl
>
media
>
core-updates-src
>
by-pkgid
>
0342f65f2338666a618b213f840203e8
>
files
>
2
