From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS6130 216.105.38.0/24 X-Spam-Status: No, score=-3.6 required=3.0 tests=BAYES_00,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, SPF_HELO_PASS,SPF_PASS,T_DKIM_INVALID shortcircuit=no autolearn=ham autolearn_force=no version=3.4.0 Received: from lists.sourceforge.net (lists.sourceforge.net [216.105.38.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 843511F42D for ; Thu, 26 Apr 2018 21:10:55 +0000 (UTC) Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1fBoAG-0007UR-0T; Thu, 26 Apr 2018 21:10:52 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1fBoAF-0007U0-57 for sox-devel@lists.sourceforge.net; Thu, 26 Apr 2018 21:10:51 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=QlCupd4cQJqARtT0JVvpnxILYGGwEaowhPQbSLwz7dY=; b=OGfJ8PJEffuA1g+KWP3w1dbL8V GDoflRFUWETYGF9mXY2dHVUV7iaBwM2YZvGriFVzurSQdo29DgUmIR6Bmfd/+be55MUCzQrxGc6va /G/UfegMs+Nmr3ScMZa3ny2gKXeilfRorz/Tq1jhvU9D7mpPm/aiHugv02WgWAdfYDYE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=QlCupd4cQJqARtT0JVvpnxILYGGwEaowhPQbSLwz7dY=; b=l4muUYrSW4zfC3cHxDHCOKBk4m CFkjszbR8S670OcbiU+uyJwsGJPDsAcqT7Z4Z8z9SiC+z+LpJW/NeCc0OzxyJPUfFbmiaiN9XxqnN q58wSGXSIXSsMJpBfj9Ptcf4cLBKtAG5BWuRYMZDFQEHO2azA6+VyrfPbuLTR8TCstHk=; Received: from unicorn.mansr.com ([81.2.72.234]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1fBoAD-00GIug-6X for sox-devel@lists.sourceforge.net; Thu, 26 Apr 2018 21:10:51 +0000 Received: by unicorn.mansr.com (Postfix, from userid 51770) id 45AE116406; Thu, 26 Apr 2018 22:10:38 +0100 (BST) From: Mans Rullgard To: sox-devel@lists.sourceforge.net Date: Thu, 26 Apr 2018 22:10:35 +0100 Message-Id: <20180426211036.5735-5-mans@mansr.com> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180426211036.5735-1-mans@mansr.com> References: <20180426211036.5735-1-mans@mansr.com> X-Headers-End: 1fBoAD-00GIug-6X Subject: [PATCH 4/5] amr: check for invalid block types X-BeenThere: sox-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: sox-devel@lists.sourceforge.net MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: sox-devel-bounces@lists.sourceforge.net This fixes infinte loops and crashes with invalid inputs. --- src/amr.h | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/src/amr.h b/src/amr.h index 900bb94e0f5a..c7ea9553263a 100644 --- a/src/amr.h +++ b/src/amr.h @@ -74,13 +74,18 @@ typedef struct amr_priv_t { static size_t decode_1_frame(sox_format_t * ft) { priv_t * p = (priv_t *)ft->priv; - size_t n_1; + size_t n; uint8_t coded[AMR_CODED_MAX]; if (lsx_readbuf(ft, &coded[0], (size_t)1) != 1) return AMR_FRAME; - n_1 = amr_block_size[(coded[0] >> 3) & 0x0F] - 1; - if (lsx_readbuf(ft, &coded[1], n_1) != n_1) + n = amr_block_size[(coded[0] >> 3) & 0x0F]; + if (!n) { + lsx_fail("invalid block type"); + return AMR_FRAME; + } + n--; + if (lsx_readbuf(ft, &coded[1], n) != n) return AMR_FRAME; AMR_CALL(p, AmrOpencoreDecoderDecode, AmrGp3DecoderDecode, (p->state, coded, p->pcm, 0)); return 0; @@ -160,6 +165,10 @@ static size_t amr_duration_frames(sox_format_t * ft) for (frames = 0; lsx_readbuf(ft, &coded, (size_t)1) == 1; ++frames) { frame_size = amr_block_size[coded >> 3 & 15]; + if (!frame_size) { + lsx_fail("invalid block type"); + break; + } if (lsx_seeki(ft, frame_size - 1, SEEK_CUR)) { lsx_fail("seek"); break; -- 2.17.0 ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ SoX-devel mailing list SoX-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sox-devel