Fixes an out-of-bounds read issue with the padding handling code

This was reported by Juri Aedla and is limited to reading memory up to about 60 kB beyond the compressed buffer. This can only be triggered by a compressed packet more than about 16 MB long, so it's not a problem for RTP. In theory, it *could* crash an Ogg decoder if the memory just after the incoming packet is out-of-range.
author: Jean-Marc Valin <jmvalin@jmvalin.ca> 2012-11-30 17:36:36 -0500
committer: Jean-Marc Valin <jmvalin@jmvalin.ca> 2012-11-30 17:36:36 -0500
commit: 9345aaa5ca1c2fb7d62981b2a538e0ce20612c38 (patch)
tree: 75f985b77f3c8aa32d2bece49c32b1c6ad1d855f /src/opus_decoder.c
parent: b05aa1dd763fe238c6e928385664e86bd66118e7 (diff)
download: opus-9345aaa5ca1c2fb7d62981b2a538e0ce20612c38.tar.gz
1 files changed, 1 insertions, 3 deletions
diff --git a/src/opus_decoder.c b/src/opus_decoder.c
index 167e4e48..0be6730d 100644
--- a/src/opus_decoder.c
+++ b/src/opus_decoder.c
@@ -641,16 +641,14 @@ static int opus_packet_parse_impl(const unsigned char *data, opus_int32 len,
       /* Padding flag is bit 6 */
       if (ch&0x40)
       {
-         int padding=0;
          int p;
          do {
             if (len<=0)
                return OPUS_INVALID_PACKET;
             p = *data++;
             len--;
-            padding += p==255 ? 254: p;
+            len -= p==255 ? 254: p;
          } while (p==255);
-         len -= padding;
       }
       if (len<0)
          return OPUS_INVALID_PACKET;
author	Jean-Marc Valin <jmvalin@jmvalin.ca>	2012-11-30 17:36:36 -0500
committer	Jean-Marc Valin <jmvalin@jmvalin.ca>	2012-11-30 17:36:36 -0500
commit	9345aaa5ca1c2fb7d62981b2a538e0ce20612c38 (patch)
tree	75f985b77f3c8aa32d2bece49c32b1c6ad1d855f /src/opus_decoder.c
parent	b05aa1dd763fe238c6e928385664e86bd66118e7 (diff)
download	opus-9345aaa5ca1c2fb7d62981b2a538e0ce20612c38.tar.gz