1 ; You can calculate where the next frame will start depending on things
2 ; like the bitrate. See mad_header_decode(). It seems that when decoding
3 ; the frame you can go past that boundary. This attempts to catch those cases,
4 ; but might not catch all of them.
5 ; For more info see http://bugs.debian.org/508133
6 Index: libmad-0.15.1b/layer12.c
7 ===================================================================
8 --- libmad-0.15.1b.orig/layer12.c 2008-12-23 21:38:07.000000000 +0100
9 +++ libmad-0.15.1b/layer12.c 2008-12-23 21:38:12.000000000 +0100
11 for (sb = 0; sb < bound; ++sb) {
12 for (ch = 0; ch < nch; ++ch) {
13 nb = mad_bit_read(&stream->ptr, 4);
14 + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
16 + stream->error = MAD_ERROR_LOSTSYNC;
22 stream->error = MAD_ERROR_BADBITALLOC;
25 for (sb = bound; sb < 32; ++sb) {
26 nb = mad_bit_read(&stream->ptr, 4);
27 + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
29 + stream->error = MAD_ERROR_LOSTSYNC;
35 stream->error = MAD_ERROR_BADBITALLOC;
37 for (ch = 0; ch < nch; ++ch) {
38 if (allocation[ch][sb]) {
39 scalefactor[ch][sb] = mad_bit_read(&stream->ptr, 6);
40 + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
42 + stream->error = MAD_ERROR_LOSTSYNC;
47 # if defined(OPT_STRICT)
50 frame->sbsample[ch][s][sb] = nb ?
51 mad_f_mul(I_sample(&stream->ptr, nb),
52 sf_table[scalefactor[ch][sb]]) : 0;
53 + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
55 + stream->error = MAD_ERROR_LOSTSYNC;
65 sample = I_sample(&stream->ptr, nb);
66 + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
68 + stream->error = MAD_ERROR_LOSTSYNC;
73 for (ch = 0; ch < nch; ++ch) {
74 frame->sbsample[ch][s][sb] =
76 nbal = bitalloc_table[offsets[sb]].nbal;
78 for (ch = 0; ch < nch; ++ch)
80 allocation[ch][sb] = mad_bit_read(&stream->ptr, nbal);
81 + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
83 + stream->error = MAD_ERROR_LOSTSYNC;
90 for (sb = bound; sb < sblimit; ++sb) {
94 allocation[1][sb] = mad_bit_read(&stream->ptr, nbal);
96 + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
98 + stream->error = MAD_ERROR_LOSTSYNC;
104 /* decode scalefactor selection info */
106 for (ch = 0; ch < nch; ++ch) {
107 if (allocation[ch][sb])
108 scfsi[ch][sb] = mad_bit_read(&stream->ptr, 2);
109 + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
111 + stream->error = MAD_ERROR_LOSTSYNC;
119 for (ch = 0; ch < nch; ++ch) {
120 if (allocation[ch][sb]) {
121 scalefactor[ch][sb][0] = mad_bit_read(&stream->ptr, 6);
122 + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
124 + stream->error = MAD_ERROR_LOSTSYNC;
129 switch (scfsi[ch][sb]) {
131 @@ -452,11 +509,23 @@
134 scalefactor[ch][sb][1] = mad_bit_read(&stream->ptr, 6);
135 + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
137 + stream->error = MAD_ERROR_LOSTSYNC;
145 scalefactor[ch][sb][2] = mad_bit_read(&stream->ptr, 6);
146 + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
148 + stream->error = MAD_ERROR_LOSTSYNC;
154 if (scfsi[ch][sb] & 1)
156 index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
158 II_samples(&stream->ptr, &qc_table[index], samples);
159 + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
161 + stream->error = MAD_ERROR_LOSTSYNC;
166 for (s = 0; s < 3; ++s) {
167 frame->sbsample[ch][3 * gr + s][sb] =
169 index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
171 II_samples(&stream->ptr, &qc_table[index], samples);
172 + if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
174 + stream->error = MAD_ERROR_LOSTSYNC;
179 for (ch = 0; ch < nch; ++ch) {
180 for (s = 0; s < 3; ++s) {
181 Index: libmad-0.15.1b/layer3.c
182 ===================================================================
183 --- libmad-0.15.1b.orig/layer3.c 2008-12-23 21:38:07.000000000 +0100
184 +++ libmad-0.15.1b/layer3.c 2008-12-23 21:38:12.000000000 +0100
185 @@ -2608,6 +2608,12 @@
188 md_len = si.main_data_begin + frame_space - next_md_begin;
189 + if (md_len + MAD_BUFFER_GUARD > MAD_BUFFER_MDLEN)
191 + stream->error = MAD_ERROR_LOSTSYNC;