shithub: opus

Download patch

ref: fe1ab2893ef3619b4a63b69a1608ba54ac49efad
parent: a214a46731b1636f8f78582885294145989d60d1
author: Timothy B. Terriberry <tterribe@xiph.org>
date: Wed Jul 24 07:42:46 EDT 2024 

Validate frame idx when scanning for DRED payload.

Without this check, a DRED extension encoded with an invalid frame
 number would still be used, potentially with a surprisingly large
 dred_frame_offset.


--- a/src/opus_decoder.c
+++ b/src/opus_decoder.c
@@ -1299,7 +1299,7 @@
    const unsigned char *data0;
    int len0;
    int frame = 0;
-   int ret;
+   int nb_frames;
    const unsigned char *frames[48];
    opus_int16 size[48];
    int frame_size;
@@ -1306,9 +1306,9 @@
 
    *payload = NULL;
    /* Get the padding section of the packet. */
-   ret = opus_packet_parse_impl(data, len, 0, NULL, frames, size, NULL, NULL, &data0, &len0);
-   if (ret < 0)
-      return ret;
+   nb_frames = opus_packet_parse_impl(data, len, 0, NULL, frames, size, NULL, NULL, &data0, &len0);
+   if (nb_frames < 0)
+      return nb_frames;
    frame_size = opus_packet_get_samples_per_frame(data, 48000);
    data = data0;
    len = len0;
@@ -1331,6 +1331,9 @@
             frame++;
          } else {
             frame += data0[1];
+         }
+         if (frame >= nb_frames) {
+           break;
          }
       } else if (id == DRED_EXTENSION_ID)
       {
--