HCoop / jackhill / guix / guix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
gnu: Add kafs-client
[jackhill/guix/guix.git] / gnu / packages / patches / libmad-length-check.patch
1 Copied from Debian.
2
3 From: Kurt Roeckx <kurt@roeckx.be>
4 Date: Sun, 28 Jan 2018 19:26:36 +0100
5 Subject: Check the size before reading with mad_bit_read
6
7 There are various cases where it attemps to read past the end of the buffer
8 using mad_bit_read(). Most functions didn't even know the size of the buffer
9 they were reading from.
10
11 Index: libmad-0.15.1b/bit.c
12 ===================================================================
13 --- libmad-0.15.1b.orig/bit.c
14 +++ libmad-0.15.1b/bit.c
15 @@ -138,6 +138,9 @@ unsigned long mad_bit_read(struct mad_bi
16 {
17 register unsigned long value;
18
19 + if (len == 0)
20 + return 0;
21 +
22 if (bitptr->left == CHAR_BIT)
23 bitptr->cache = *bitptr->byte;
24
25 Index: libmad-0.15.1b/frame.c
26 ===================================================================
27 --- libmad-0.15.1b.orig/frame.c
28 +++ libmad-0.15.1b/frame.c
29 @@ -120,11 +120,18 @@ static
30 int decode_header(struct mad_header *header, struct mad_stream *stream)
31 {
32 unsigned int index;
33 + struct mad_bitptr bufend_ptr;
34
35 header->flags = 0;
36 header->private_bits = 0;
37
38 + mad_bit_init(&bufend_ptr, stream->bufend);
39 +
40 /* header() */
41 + if (mad_bit_length(&stream->ptr, &bufend_ptr) < 32) {
42 + stream->error = MAD_ERROR_BUFLEN;
43 + return -1;
44 + }
45
46 /* syncword */
47 mad_bit_skip(&stream->ptr, 11);
48 @@ -225,8 +232,13 @@ int decode_header(struct mad_header *hea
49 /* error_check() */
50
51 /* crc_check */
52 - if (header->flags & MAD_FLAG_PROTECTION)
53 + if (header->flags & MAD_FLAG_PROTECTION) {
54 + if (mad_bit_length(&stream->ptr, &bufend_ptr) < 16) {
55 + stream->error = MAD_ERROR_BUFLEN;
56 + return -1;
57 + }
58 header->crc_target = mad_bit_read(&stream->ptr, 16);
59 + }
60
61 return 0;
62 }
63 @@ -338,7 +350,7 @@ int mad_header_decode(struct mad_header
64 stream->error = MAD_ERROR_BUFLEN;
65 goto fail;
66 }
67 - else if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
68 + else if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
69 /* mark point where frame sync word was expected */
70 stream->this_frame = ptr;
71 stream->next_frame = ptr + 1;
72 @@ -361,6 +373,8 @@ int mad_header_decode(struct mad_header
73 ptr = mad_bit_nextbyte(&stream->ptr);
74 }
75
76 + stream->error = MAD_ERROR_NONE;
77 +
78 /* begin processing */
79 stream->this_frame = ptr;
80 stream->next_frame = ptr + 1; /* possibly bogus sync word */
81 @@ -413,7 +427,7 @@ int mad_header_decode(struct mad_header
82 /* check that a valid frame header follows this frame */
83
84 ptr = stream->next_frame;
85 - if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
86 + if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
87 ptr = stream->next_frame = stream->this_frame + 1;
88 goto sync;
89 }
90 Index: libmad-0.15.1b/layer12.c
91 ===================================================================
92 --- libmad-0.15.1b.orig/layer12.c
93 +++ libmad-0.15.1b/layer12.c
94 @@ -72,10 +72,18 @@ mad_fixed_t const linear_table[14] = {
95 * DESCRIPTION: decode one requantized Layer I sample from a bitstream
96 */
97 static
98 -mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb)
99 +mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb, struct mad_stream *stream)
100 {
101 mad_fixed_t sample;
102 + struct mad_bitptr frameend_ptr;
103
104 + mad_bit_init(&frameend_ptr, stream->next_frame);
105 +
106 + if (mad_bit_length(ptr, &frameend_ptr) < nb) {
107 + stream->error = MAD_ERROR_LOSTSYNC;
108 + stream->sync = 0;
109 + return 0;
110 + }
111 sample = mad_bit_read(ptr, nb);
112
113 /* invert most significant bit, extend sign, then scale to fixed format */
114 @@ -106,6 +114,10 @@ int mad_layer_I(struct mad_stream *strea
115 struct mad_header *header = &frame->header;
116 unsigned int nch, bound, ch, s, sb, nb;
117 unsigned char allocation[2][32], scalefactor[2][32];
118 + struct mad_bitptr bufend_ptr, frameend_ptr;
119 +
120 + mad_bit_init(&bufend_ptr, stream->bufend);
121 + mad_bit_init(&frameend_ptr, stream->next_frame);
122
123 nch = MAD_NCHANNELS(header);
124
125 @@ -118,6 +130,11 @@ int mad_layer_I(struct mad_stream *strea
126 /* check CRC word */
127
128 if (header->flags & MAD_FLAG_PROTECTION) {
129 + if (mad_bit_length(&stream->ptr, &bufend_ptr)
130 + < 4 * (bound * nch + (32 - bound))) {
131 + stream->error = MAD_ERROR_BADCRC;
132 + return -1;
133 + }
134 header->crc_check =
135 mad_bit_crc(stream->ptr, 4 * (bound * nch + (32 - bound)),
136 header->crc_check);
137 @@ -133,6 +150,11 @@ int mad_layer_I(struct mad_stream *strea
138
139 for (sb = 0; sb < bound; ++sb) {
140 for (ch = 0; ch < nch; ++ch) {
141 + if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) {
142 + stream->error = MAD_ERROR_LOSTSYNC;
143 + stream->sync = 0;
144 + return -1;
145 + }
146 nb = mad_bit_read(&stream->ptr, 4);
147
148 if (nb == 15) {
149 @@ -145,6 +167,11 @@ int mad_layer_I(struct mad_stream *strea
150 }
151
152 for (sb = bound; sb < 32; ++sb) {
153 + if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) {
154 + stream->error = MAD_ERROR_LOSTSYNC;
155 + stream->sync = 0;
156 + return -1;
157 + }
158 nb = mad_bit_read(&stream->ptr, 4);
159
160 if (nb == 15) {
161 @@ -161,6 +188,11 @@ int mad_layer_I(struct mad_stream *strea
162 for (sb = 0; sb < 32; ++sb) {
163 for (ch = 0; ch < nch; ++ch) {
164 if (allocation[ch][sb]) {
165 + if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
166 + stream->error = MAD_ERROR_LOSTSYNC;
167 + stream->sync = 0;
168 + return -1;
169 + }
170 scalefactor[ch][sb] = mad_bit_read(&stream->ptr, 6);
171
172 # if defined(OPT_STRICT)
173 @@ -185,8 +217,10 @@ int mad_layer_I(struct mad_stream *strea
174 for (ch = 0; ch < nch; ++ch) {
175 nb = allocation[ch][sb];
176 frame->sbsample[ch][s][sb] = nb ?
177 - mad_f_mul(I_sample(&stream->ptr, nb),
178 + mad_f_mul(I_sample(&stream->ptr, nb, stream),
179 sf_table[scalefactor[ch][sb]]) : 0;
180 + if (stream->error != 0)
181 + return -1;
182 }
183 }
184
185 @@ -194,7 +228,14 @@ int mad_layer_I(struct mad_stream *strea
186 if ((nb = allocation[0][sb])) {
187 mad_fixed_t sample;
188
189 - sample = I_sample(&stream->ptr, nb);
190 + if (mad_bit_length(&stream->ptr, &frameend_ptr) < nb) {
191 + stream->error = MAD_ERROR_LOSTSYNC;
192 + stream->sync = 0;
193 + return -1;
194 + }
195 + sample = I_sample(&stream->ptr, nb, stream);
196 + if (stream->error != 0)
197 + return -1;
198
199 for (ch = 0; ch < nch; ++ch) {
200 frame->sbsample[ch][s][sb] =
201 @@ -280,13 +321,21 @@ struct quantclass {
202 static
203 void II_samples(struct mad_bitptr *ptr,
204 struct quantclass const *quantclass,
205 - mad_fixed_t output[3])
206 + mad_fixed_t output[3], struct mad_stream *stream)
207 {
208 unsigned int nb, s, sample[3];
209 + struct mad_bitptr frameend_ptr;
210 +
211 + mad_bit_init(&frameend_ptr, stream->next_frame);
212
213 if ((nb = quantclass->group)) {
214 unsigned int c, nlevels;
215
216 + if (mad_bit_length(ptr, &frameend_ptr) < quantclass->bits) {
217 + stream->error = MAD_ERROR_LOSTSYNC;
218 + stream->sync = 0;
219 + return;
220 + }
221 /* degrouping */
222 c = mad_bit_read(ptr, quantclass->bits);
223 nlevels = quantclass->nlevels;
224 @@ -299,8 +348,14 @@ void II_samples(struct mad_bitptr *ptr,
225 else {
226 nb = quantclass->bits;
227
228 - for (s = 0; s < 3; ++s)
229 + for (s = 0; s < 3; ++s) {
230 + if (mad_bit_length(ptr, &frameend_ptr) < nb) {
231 + stream->error = MAD_ERROR_LOSTSYNC;
232 + stream->sync = 0;
233 + return;
234 + }
235 sample[s] = mad_bit_read(ptr, nb);
236 + }
237 }
238
239 for (s = 0; s < 3; ++s) {
240 @@ -336,6 +391,9 @@ int mad_layer_II(struct mad_stream *stre
241 unsigned char const *offsets;
242 unsigned char allocation[2][32], scfsi[2][32], scalefactor[2][32][3];
243 mad_fixed_t samples[3];
244 + struct mad_bitptr frameend_ptr;
245 +
246 + mad_bit_init(&frameend_ptr, stream->next_frame);
247
248 nch = MAD_NCHANNELS(header);
249
250 @@ -402,13 +460,24 @@ int mad_layer_II(struct mad_stream *stre
251 for (sb = 0; sb < bound; ++sb) {
252 nbal = bitalloc_table[offsets[sb]].nbal;
253
254 - for (ch = 0; ch < nch; ++ch)
255 + for (ch = 0; ch < nch; ++ch) {
256 + if (mad_bit_length(&stream->ptr, &frameend_ptr) < nbal) {
257 + stream->error = MAD_ERROR_LOSTSYNC;
258 + stream->sync = 0;
259 + return -1;
260 + }
261 allocation[ch][sb] = mad_bit_read(&stream->ptr, nbal);
262 + }
263 }
264
265 for (sb = bound; sb < sblimit; ++sb) {
266 nbal = bitalloc_table[offsets[sb]].nbal;
267
268 + if (mad_bit_length(&stream->ptr, &frameend_ptr) < nbal) {
269 + stream->error = MAD_ERROR_LOSTSYNC;
270 + stream->sync = 0;
271 + return -1;
272 + }
273 allocation[0][sb] =
274 allocation[1][sb] = mad_bit_read(&stream->ptr, nbal);
275 }
276 @@ -417,8 +486,14 @@ int mad_layer_II(struct mad_stream *stre
277
278 for (sb = 0; sb < sblimit; ++sb) {
279 for (ch = 0; ch < nch; ++ch) {
280 - if (allocation[ch][sb])
281 + if (allocation[ch][sb]) {
282 + if (mad_bit_length(&stream->ptr, &frameend_ptr) < 2) {
283 + stream->error = MAD_ERROR_LOSTSYNC;
284 + stream->sync = 0;
285 + return -1;
286 + }
287 scfsi[ch][sb] = mad_bit_read(&stream->ptr, 2);
288 + }
289 }
290 }
291
292 @@ -441,6 +516,11 @@ int mad_layer_II(struct mad_stream *stre
293 for (sb = 0; sb < sblimit; ++sb) {
294 for (ch = 0; ch < nch; ++ch) {
295 if (allocation[ch][sb]) {
296 + if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
297 + stream->error = MAD_ERROR_LOSTSYNC;
298 + stream->sync = 0;
299 + return -1;
300 + }
301 scalefactor[ch][sb][0] = mad_bit_read(&stream->ptr, 6);
302
303 switch (scfsi[ch][sb]) {
304 @@ -451,11 +531,21 @@ int mad_layer_II(struct mad_stream *stre
305 break;
306
307 case 0:
308 + if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
309 + stream->error = MAD_ERROR_LOSTSYNC;
310 + stream->sync = 0;
311 + return -1;
312 + }
313 scalefactor[ch][sb][1] = mad_bit_read(&stream->ptr, 6);
314 /* fall through */
315
316 case 1:
317 case 3:
318 + if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
319 + stream->error = MAD_ERROR_LOSTSYNC;
320 + stream->sync = 0;
321 + return -1;
322 + }
323 scalefactor[ch][sb][2] = mad_bit_read(&stream->ptr, 6);
324 }
325
326 @@ -487,7 +577,9 @@ int mad_layer_II(struct mad_stream *stre
327 if ((index = allocation[ch][sb])) {
328 index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
329
330 - II_samples(&stream->ptr, &qc_table[index], samples);
331 + II_samples(&stream->ptr, &qc_table[index], samples, stream);
332 + if (stream->error != 0)
333 + return -1;
334
335 for (s = 0; s < 3; ++s) {
336 frame->sbsample[ch][3 * gr + s][sb] =
337 @@ -505,7 +597,9 @@ int mad_layer_II(struct mad_stream *stre
338 if ((index = allocation[0][sb])) {
339 index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
340
341 - II_samples(&stream->ptr, &qc_table[index], samples);
342 + II_samples(&stream->ptr, &qc_table[index], samples, stream);
343 + if (stream->error != 0)
344 + return -1;
345
346 for (ch = 0; ch < nch; ++ch) {
347 for (s = 0; s < 3; ++s) {
348 Index: libmad-0.15.1b/layer3.c
349 ===================================================================
350 --- libmad-0.15.1b.orig/layer3.c
351 +++ libmad-0.15.1b/layer3.c
352 @@ -598,7 +598,8 @@ enum mad_error III_sideinfo(struct mad_b
353 static
354 unsigned int III_scalefactors_lsf(struct mad_bitptr *ptr,
355 struct channel *channel,
356 - struct channel *gr1ch, int mode_extension)
357 + struct channel *gr1ch, int mode_extension,
358 + unsigned int bits_left, unsigned int *part2_length)
359 {
360 struct mad_bitptr start;
361 unsigned int scalefac_compress, index, slen[4], part, n, i;
362 @@ -644,8 +645,12 @@ unsigned int III_scalefactors_lsf(struct
363
364 n = 0;
365 for (part = 0; part < 4; ++part) {
366 - for (i = 0; i < nsfb[part]; ++i)
367 + for (i = 0; i < nsfb[part]; ++i) {
368 + if (bits_left < slen[part])
369 + return MAD_ERROR_BADSCFSI;
370 channel->scalefac[n++] = mad_bit_read(ptr, slen[part]);
371 + bits_left -= slen[part];
372 + }
373 }
374
375 while (n < 39)
376 @@ -690,7 +695,10 @@ unsigned int III_scalefactors_lsf(struct
377 max = (1 << slen[part]) - 1;
378
379 for (i = 0; i < nsfb[part]; ++i) {
380 + if (bits_left < slen[part])
381 + return MAD_ERROR_BADSCFSI;
382 is_pos = mad_bit_read(ptr, slen[part]);
383 + bits_left -= slen[part];
384
385 channel->scalefac[n] = is_pos;
386 gr1ch->scalefac[n++] = (is_pos == max);
387 @@ -703,7 +711,8 @@ unsigned int III_scalefactors_lsf(struct
388 }
389 }
390
391 - return mad_bit_length(&start, ptr);
392 + *part2_length = mad_bit_length(&start, ptr);
393 + return MAD_ERROR_NONE;
394 }
395
396 /*
397 @@ -712,7 +721,8 @@ unsigned int III_scalefactors_lsf(struct
398 */
399 static
400 unsigned int III_scalefactors(struct mad_bitptr *ptr, struct channel *channel,
401 - struct channel const *gr0ch, unsigned int scfsi)
402 + struct channel const *gr0ch, unsigned int scfsi,
403 + unsigned int bits_left, unsigned int *part2_length)
404 {
405 struct mad_bitptr start;
406 unsigned int slen1, slen2, sfbi;
407 @@ -728,12 +738,20 @@ unsigned int III_scalefactors(struct mad
408 sfbi = 0;
409
410 nsfb = (channel->flags & mixed_block_flag) ? 8 + 3 * 3 : 6 * 3;
411 - while (nsfb--)
412 + while (nsfb--) {
413 + if (bits_left < slen1)
414 + return MAD_ERROR_BADSCFSI;
415 channel->scalefac[sfbi++] = mad_bit_read(ptr, slen1);
416 + bits_left -= slen1;
417 + }
418
419 nsfb = 6 * 3;
420 - while (nsfb--)
421 + while (nsfb--) {
422 + if (bits_left < slen2)
423 + return MAD_ERROR_BADSCFSI;
424 channel->scalefac[sfbi++] = mad_bit_read(ptr, slen2);
425 + bits_left -= slen2;
426 + }
427
428 nsfb = 1 * 3;
429 while (nsfb--)
430 @@ -745,8 +763,12 @@ unsigned int III_scalefactors(struct mad
431 channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
432 }
433 else {
434 - for (sfbi = 0; sfbi < 6; ++sfbi)
435 + for (sfbi = 0; sfbi < 6; ++sfbi) {
436 + if (bits_left < slen1)
437 + return MAD_ERROR_BADSCFSI;
438 channel->scalefac[sfbi] = mad_bit_read(ptr, slen1);
439 + bits_left -= slen1;
440 + }
441 }
442
443 if (scfsi & 0x4) {
444 @@ -754,8 +776,12 @@ unsigned int III_scalefactors(struct mad
445 channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
446 }
447 else {
448 - for (sfbi = 6; sfbi < 11; ++sfbi)
449 + for (sfbi = 6; sfbi < 11; ++sfbi) {
450 + if (bits_left < slen1)
451 + return MAD_ERROR_BADSCFSI;
452 channel->scalefac[sfbi] = mad_bit_read(ptr, slen1);
453 + bits_left -= slen1;
454 + }
455 }
456
457 if (scfsi & 0x2) {
458 @@ -763,8 +789,12 @@ unsigned int III_scalefactors(struct mad
459 channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
460 }
461 else {
462 - for (sfbi = 11; sfbi < 16; ++sfbi)
463 + for (sfbi = 11; sfbi < 16; ++sfbi) {
464 + if (bits_left < slen2)
465 + return MAD_ERROR_BADSCFSI;
466 channel->scalefac[sfbi] = mad_bit_read(ptr, slen2);
467 + bits_left -= slen2;
468 + }
469 }
470
471 if (scfsi & 0x1) {
472 @@ -772,14 +802,19 @@ unsigned int III_scalefactors(struct mad
473 channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
474 }
475 else {
476 - for (sfbi = 16; sfbi < 21; ++sfbi)
477 + for (sfbi = 16; sfbi < 21; ++sfbi) {
478 + if (bits_left < slen2)
479 + return MAD_ERROR_BADSCFSI;
480 channel->scalefac[sfbi] = mad_bit_read(ptr, slen2);
481 + bits_left -= slen2;
482 + }
483 }
484
485 channel->scalefac[21] = 0;
486 }
487
488 - return mad_bit_length(&start, ptr);
489 + *part2_length = mad_bit_length(&start, ptr);
490 + return MAD_ERROR_NONE;
491 }
492
493 /*
494 @@ -933,19 +968,17 @@ static
495 enum mad_error III_huffdecode(struct mad_bitptr *ptr, mad_fixed_t xr[576],
496 struct channel *channel,
497 unsigned char const *sfbwidth,
498 - unsigned int part2_length)
499 + signed int part3_length)
500 {
501 signed int exponents[39], exp;
502 signed int const *expptr;
503 struct mad_bitptr peek;
504 - signed int bits_left, cachesz;
505 + signed int bits_left, cachesz, fakebits;
506 register mad_fixed_t *xrptr;
507 mad_fixed_t const *sfbound;
508 register unsigned long bitcache;
509
510 - bits_left = (signed) channel->part2_3_length - (signed) part2_length;
511 - if (bits_left < 0)
512 - return MAD_ERROR_BADPART3LEN;
513 + bits_left = part3_length;
514
515 III_exponents(channel, sfbwidth, exponents);
516
517 @@ -956,8 +989,12 @@ enum mad_error III_huffdecode(struct mad
518 cachesz = mad_bit_bitsleft(&peek);
519 cachesz += ((32 - 1 - 24) + (24 - cachesz)) & ~7;
520
521 + if (bits_left < cachesz) {
522 + cachesz = bits_left;
523 + }
524 bitcache = mad_bit_read(&peek, cachesz);
525 bits_left -= cachesz;
526 + fakebits = 0;
527
528 xrptr = &xr[0];
529
530 @@ -986,7 +1023,7 @@ enum mad_error III_huffdecode(struct mad
531
532 big_values = channel->big_values;
533
534 - while (big_values-- && cachesz + bits_left > 0) {
535 + while (big_values-- && cachesz + bits_left - fakebits > 0) {
536 union huffpair const *pair;
537 unsigned int clumpsz, value;
538 register mad_fixed_t requantized;
539 @@ -1023,10 +1060,19 @@ enum mad_error III_huffdecode(struct mad
540 unsigned int bits;
541
542 bits = ((32 - 1 - 21) + (21 - cachesz)) & ~7;
543 + if (bits_left < bits) {
544 + bits = bits_left;
545 + }
546 bitcache = (bitcache << bits) | mad_bit_read(&peek, bits);
547 cachesz += bits;
548 bits_left -= bits;
549 }
550 + if (cachesz < 21) {
551 + unsigned int bits = 21 - cachesz;
552 + bitcache <<= bits;
553 + cachesz += bits;
554 + fakebits += bits;
555 + }
556
557 /* hcod (0..19) */
558
559 @@ -1041,6 +1087,8 @@ enum mad_error III_huffdecode(struct mad
560 }
561
562 cachesz -= pair->value.hlen;
563 + if (cachesz < fakebits)
564 + return MAD_ERROR_BADHUFFDATA;
565
566 if (linbits) {
567 /* x (0..14) */
568 @@ -1054,10 +1102,15 @@ enum mad_error III_huffdecode(struct mad
569
570 case 15:
571 if (cachesz < linbits + 2) {
572 - bitcache = (bitcache << 16) | mad_bit_read(&peek, 16);
573 - cachesz += 16;
574 - bits_left -= 16;
575 + unsigned int bits = 16;
576 + if (bits_left < 16)
577 + bits = bits_left;
578 + bitcache = (bitcache << bits) | mad_bit_read(&peek, bits);
579 + cachesz += bits;
580 + bits_left -= bits;
581 }
582 + if (cachesz - fakebits < linbits)
583 + return MAD_ERROR_BADHUFFDATA;
584
585 value += MASK(bitcache, cachesz, linbits);
586 cachesz -= linbits;
587 @@ -1074,6 +1127,8 @@ enum mad_error III_huffdecode(struct mad
588 }
589
590 x_final:
591 + if (cachesz - fakebits < 1)
592 + return MAD_ERROR_BADHUFFDATA;
593 xrptr[0] = MASK1BIT(bitcache, cachesz--) ?
594 -requantized : requantized;
595 }
596 @@ -1089,10 +1144,15 @@ enum mad_error III_huffdecode(struct mad
597
598 case 15:
599 if (cachesz < linbits + 1) {
600 - bitcache = (bitcache << 16) | mad_bit_read(&peek, 16);
601 - cachesz += 16;
602 - bits_left -= 16;
603 + unsigned int bits = 16;
604 + if (bits_left < 16)
605 + bits = bits_left;
606 + bitcache = (bitcache << bits) | mad_bit_read(&peek, bits);
607 + cachesz += bits;
608 + bits_left -= bits;
609 }
610 + if (cachesz - fakebits < linbits)
611 + return MAD_ERROR_BADHUFFDATA;
612
613 value += MASK(bitcache, cachesz, linbits);
614 cachesz -= linbits;
615 @@ -1109,6 +1169,8 @@ enum mad_error III_huffdecode(struct mad
616 }
617
618 y_final:
619 + if (cachesz - fakebits < 1)
620 + return MAD_ERROR_BADHUFFDATA;
621 xrptr[1] = MASK1BIT(bitcache, cachesz--) ?
622 -requantized : requantized;
623 }
624 @@ -1128,6 +1190,8 @@ enum mad_error III_huffdecode(struct mad
625 requantized = reqcache[value] = III_requantize(value, exp);
626 }
627
628 + if (cachesz - fakebits < 1)
629 + return MAD_ERROR_BADHUFFDATA;
630 xrptr[0] = MASK1BIT(bitcache, cachesz--) ?
631 -requantized : requantized;
632 }
633 @@ -1146,6 +1210,8 @@ enum mad_error III_huffdecode(struct mad
634 requantized = reqcache[value] = III_requantize(value, exp);
635 }
636
637 + if (cachesz - fakebits < 1)
638 + return MAD_ERROR_BADHUFFDATA;
639 xrptr[1] = MASK1BIT(bitcache, cachesz--) ?
640 -requantized : requantized;
641 }
642 @@ -1155,9 +1221,6 @@ enum mad_error III_huffdecode(struct mad
643 }
644 }
645
646 - if (cachesz + bits_left < 0)
647 - return MAD_ERROR_BADHUFFDATA; /* big_values overrun */
648 -
649 /* count1 */
650 {
651 union huffquad const *table;
652 @@ -1167,15 +1230,24 @@ enum mad_error III_huffdecode(struct mad
653
654 requantized = III_requantize(1, exp);
655
656 - while (cachesz + bits_left > 0 && xrptr <= &xr[572]) {
657 + while (cachesz + bits_left - fakebits > 0 && xrptr <= &xr[572]) {
658 union huffquad const *quad;
659
660 /* hcod (1..6) */
661
662 if (cachesz < 10) {
663 - bitcache = (bitcache << 16) | mad_bit_read(&peek, 16);
664 - cachesz += 16;
665 - bits_left -= 16;
666 + unsigned int bits = 16;
667 + if (bits_left < 16)
668 + bits = bits_left;
669 + bitcache = (bitcache << bits) | mad_bit_read(&peek, bits);
670 + cachesz += bits;
671 + bits_left -= bits;
672 + }
673 + if (cachesz < 10) {
674 + unsigned int bits = 10 - cachesz;
675 + bitcache <<= bits;
676 + cachesz += bits;
677 + fakebits += bits;
678 }
679
680 quad = &table[MASK(bitcache, cachesz, 4)];
681 @@ -1188,6 +1260,11 @@ enum mad_error III_huffdecode(struct mad
682 MASK(bitcache, cachesz, quad->ptr.bits)];
683 }
684
685 + if (cachesz - fakebits < quad->value.hlen + quad->value.v
686 + + quad->value.w + quad->value.x + quad->value.y)
687 + /* We don't have enough bits to read one more entry, consider them
688 + * stuffing bits. */
689 + break;
690 cachesz -= quad->value.hlen;
691
692 if (xrptr == sfbound) {
693 @@ -1236,22 +1313,8 @@ enum mad_error III_huffdecode(struct mad
694
695 xrptr += 2;
696 }
697 -
698 - if (cachesz + bits_left < 0) {
699 -# if 0 && defined(DEBUG)
700 - fprintf(stderr, "huffman count1 overrun (%d bits)\n",
701 - -(cachesz + bits_left));
702 -# endif
703 -
704 - /* technically the bitstream is misformatted, but apparently
705 - some encoders are just a bit sloppy with stuffing bits */
706 -
707 - xrptr -= 4;
708 - }
709 }
710
711 - assert(-bits_left <= MAD_BUFFER_GUARD * CHAR_BIT);
712 -
713 # if 0 && defined(DEBUG)
714 if (bits_left < 0)
715 fprintf(stderr, "read %d bits too many\n", -bits_left);
716 @@ -2348,10 +2411,11 @@ void III_freqinver(mad_fixed_t sample[18
717 */
718 static
719 enum mad_error III_decode(struct mad_bitptr *ptr, struct mad_frame *frame,
720 - struct sideinfo *si, unsigned int nch)
721 + struct sideinfo *si, unsigned int nch, unsigned int md_len)
722 {
723 struct mad_header *header = &frame->header;
724 unsigned int sfreqi, ngr, gr;
725 + int bits_left = md_len * CHAR_BIT;
726
727 {
728 unsigned int sfreq;
729 @@ -2383,6 +2447,7 @@ enum mad_error III_decode(struct mad_bit
730 for (ch = 0; ch < nch; ++ch) {
731 struct channel *channel = &granule->ch[ch];
732 unsigned int part2_length;
733 + unsigned int part3_length;
734
735 sfbwidth[ch] = sfbwidth_table[sfreqi].l;
736 if (channel->block_type == 2) {
737 @@ -2391,18 +2456,30 @@ enum mad_error III_decode(struct mad_bit
738 }
739
740 if (header->flags & MAD_FLAG_LSF_EXT) {
741 - part2_length = III_scalefactors_lsf(ptr, channel,
742 + error = III_scalefactors_lsf(ptr, channel,
743 ch == 0 ? 0 : &si->gr[1].ch[1],
744 - header->mode_extension);
745 + header->mode_extension, bits_left, &part2_length);
746 }
747 else {
748 - part2_length = III_scalefactors(ptr, channel, &si->gr[0].ch[ch],
749 - gr == 0 ? 0 : si->scfsi[ch]);
750 + error = III_scalefactors(ptr, channel, &si->gr[0].ch[ch],
751 + gr == 0 ? 0 : si->scfsi[ch], bits_left, &part2_length);
752 }
753 + if (error)
754 + return error;
755 +
756 + bits_left -= part2_length;
757
758 - error = III_huffdecode(ptr, xr[ch], channel, sfbwidth[ch], part2_length);
759 + if (part2_length > channel->part2_3_length)
760 + return MAD_ERROR_BADPART3LEN;
761 +
762 + part3_length = channel->part2_3_length - part2_length;
763 + if (part3_length > bits_left)
764 + return MAD_ERROR_BADPART3LEN;
765 +
766 + error = III_huffdecode(ptr, xr[ch], channel, sfbwidth[ch], part3_length);
767 if (error)
768 return error;
769 + bits_left -= part3_length;
770 }
771
772 /* joint stereo processing */
773 @@ -2519,11 +2596,13 @@ int mad_layer_III(struct mad_stream *str
774 unsigned int nch, priv_bitlen, next_md_begin = 0;
775 unsigned int si_len, data_bitlen, md_len;
776 unsigned int frame_space, frame_used, frame_free;
777 - struct mad_bitptr ptr;
778 + struct mad_bitptr ptr, bufend_ptr;
779 struct sideinfo si;
780 enum mad_error error;
781 int result = 0;
782
783 + mad_bit_init(&bufend_ptr, stream->bufend);
784 +
785 /* allocate Layer III dynamic structures */
786
787 if (stream->main_data == 0) {
788 @@ -2587,14 +2666,15 @@ int mad_layer_III(struct mad_stream *str
789 unsigned long header;
790
791 mad_bit_init(&peek, stream->next_frame);
792 + if (mad_bit_length(&peek, &bufend_ptr) >= 57) {
793 + header = mad_bit_read(&peek, 32);
794 + if ((header & 0xffe60000L) /* syncword | layer */ == 0xffe20000L) {
795 + if (!(header & 0x00010000L)) /* protection_bit */
796 + mad_bit_skip(&peek, 16); /* crc_check */
797
798 - header = mad_bit_read(&peek, 32);
799 - if ((header & 0xffe60000L) /* syncword | layer */ == 0xffe20000L) {
800 - if (!(header & 0x00010000L)) /* protection_bit */
801 - mad_bit_skip(&peek, 16); /* crc_check */
802 -
803 - next_md_begin =
804 - mad_bit_read(&peek, (header & 0x00080000L) /* ID */ ? 9 : 8);
805 + next_md_begin =
806 + mad_bit_read(&peek, (header & 0x00080000L) /* ID */ ? 9 : 8);
807 + }
808 }
809
810 mad_bit_finish(&peek);
811 @@ -2653,7 +2733,7 @@ int mad_layer_III(struct mad_stream *str
812 /* decode main_data */
813
814 if (result == 0) {
815 - error = III_decode(&ptr, frame, &si, nch);
816 + error = III_decode(&ptr, frame, &si, nch, md_len);
817 if (error) {
818 stream->error = error;
819 result = -1;
jackhill's copy of GNU Guix: https://guix.gnu.org/