ref: 746e2af0c21b6b9329d553f69d32fc8c79395cf6
parent: aa0e15c6b6600a961383e34e55f662cdb6ce8876
author: Mark Harris <mark.hsj@gmail.com>
date: Wed Sep 30 21:25:13 EDT 2015
opusenc: Validate AIFF/WAV channel count Interpret channel count properly for input format (signed for AIFF, unsigned for WAV) and reject invalid values. Fixes https://trac.xiph.org/ticket/2136 (CVE-2014-9639), https://trac.xiph.org/ticket/2137 (CVE-2014-9638).
--- a/src/audio-in.c
+++ b/src/audio-in.c
@@ -321,11 +321,17 @@
return 0;
}
- format.channels = READ_U16_BE(buffer);
+ format.channels = (short)READ_U16_BE(buffer);
format.totalframes = READ_U32_BE(buffer+2);
format.samplesize = READ_U16_BE(buffer+6);
format.rate = (int)read_IEEE80(buffer+8);
+ if(format.channels <= 0)
+ {+ fprintf(stderr, _("ERROR: Invalid channel count in AIFF header\n"));+ return 0;
+ }
+
if(aifc)
{if(len < 22)
@@ -486,6 +492,12 @@
format.bytespersec = READ_U32_LE(buf+8);
format.align = READ_U16_LE(buf+12);
format.samplesize = READ_U16_LE(buf+14);
+
+ if(format.channels == 0)
+ {+ fprintf(stderr, _("ERROR: Zero channels in WAV header\n"));+ return 0;
+ }
if(format.format == -2) /* WAVE_FORMAT_EXTENSIBLE */
{--- a/src/opusenc.h
+++ b/src/opusenc.h
@@ -61,7 +61,7 @@
typedef struct {short format;
- short channels;
+ unsigned short channels;
int samplerate;
int bytespersec;
short align;
@@ -70,7 +70,7 @@
} wav_fmt;
typedef struct {- short channels;
+ unsigned short channels;
short samplesize;
opus_int64 totalsamples;
opus_int64 samplesread;