ref: dc500a7ac53098c5b360c33936a2e74c6a99cbfc
parent: 81a73acad883be970a0efb70af6256011a3ce949
author: Gregory Maxwell <greg@xiph.org>
date: Sun May 27 00:16:20 EDT 2012
Additional header checks.
--- a/src/opus_header.c
+++ b/src/opus_header.c
@@ -154,10 +154,16 @@
{if (!read_chars(&p, &ch, 1))
return 0;
+
+ if (ch<1)
+ return 0;
h->nb_streams = ch;
if (!read_chars(&p, &ch, 1))
return 0;
+
+ if (ch>h->nb_streams || (ch+h->nb_streams)>255)
+ return 0;
h->nb_coupled = ch;
/* Multi-stream support */
@@ -165,8 +171,12 @@
{if (!read_chars(&p, &h->stream_map[i], 1))
return 0;
+ if (h->stream_map[i]>(h->nb_streams+h->nb_coupled) && h->stream_map[i]!=255)
+ return 0;
}
} else {+ if(h->channels>2)
+ return 0;
h->nb_streams = 1;
h->nb_coupled = h->channels>1;
h->stream_map[0]=0;
--- a/src/opusdec.c
+++ b/src/opusdec.c
@@ -719,6 +719,8 @@
if (packet_count==0)
{st = process_header(&op, &rate, &channels, &preskip, &gain, &streams, quiet);
+ if (!st)
+ exit(1);
gran_offset=preskip;
if(!shapemem.a_buf)
{@@ -727,8 +729,6 @@
shapemem.fs=rate;
}
if(!output)output=malloc(sizeof(float)*MAX_FRAME_SIZE*channels);
- if (!st)
- exit(1);
if (rate != 48000)
{int err;