| blob | 80e48469e6523d21035e24804ac8411a3062c40e |
1 From: Kurt Roeckx <kurt@roeckx.be>
2 Date: Sun, 28 Jan 2018 19:26:36 +0100
3 Subject: Check the size before reading with mad_bit_read
5 There are various cases where it attemps to read past the end of the buffer
6 using mad_bit_read(). Most functions didn't even know the size of the buffer
7 they were reading from.
9 Index: libmad-0.15.1b/bit.c
10 ===================================================================
11 --- libmad-0.15.1b.orig/bit.c
12 +++ libmad-0.15.1b/bit.c
13 @@ -138,6 +138,9 @@ unsigned long mad_bit_read(struct mad_bi
14 {
15 register unsigned long value;
17 + if (len == 0)
18 + return 0;
19 +
20 if (bitptr->left == CHAR_BIT)
21 bitptr->cache = *bitptr->byte;
23 Index: libmad-0.15.1b/frame.c
24 ===================================================================
25 --- libmad-0.15.1b.orig/frame.c
26 +++ libmad-0.15.1b/frame.c
27 @@ -120,11 +120,18 @@ static
28 int decode_header(struct mad_header *header, struct mad_stream *stream)
29 {
30 unsigned int index;
31 + struct mad_bitptr bufend_ptr;
33 header->flags = 0;
34 header->private_bits = 0;
36 + mad_bit_init(&bufend_ptr, stream->bufend);
37 +
38 /* header() */
39 + if (mad_bit_length(&stream->ptr, &bufend_ptr) < 32) {
40 + stream->error = MAD_ERROR_BUFLEN;
41 + return -1;
42 + }
44 /* syncword */
45 mad_bit_skip(&stream->ptr, 11);
46 @@ -225,8 +232,13 @@ int decode_header(struct mad_header *hea
47 /* error_check() */
49 /* crc_check */
50 - if (header->flags & MAD_FLAG_PROTECTION)
51 + if (header->flags & MAD_FLAG_PROTECTION) {
52 + if (mad_bit_length(&stream->ptr, &bufend_ptr) < 16) {
53 + stream->error = MAD_ERROR_BUFLEN;
54 + return -1;
55 + }
56 header->crc_target = mad_bit_read(&stream->ptr, 16);
57 + }
59 return 0;
60 }
61 @@ -338,7 +350,7 @@ int mad_header_decode(struct mad_header
62 stream->error = MAD_ERROR_BUFLEN;
63 goto fail;
64 }
65 - else if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
66 + else if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
67 /* mark point where frame sync word was expected */
68 stream->this_frame = ptr;
69 stream->next_frame = ptr + 1;
70 @@ -361,6 +373,8 @@ int mad_header_decode(struct mad_header
71 ptr = mad_bit_nextbyte(&stream->ptr);
72 }
74 + stream->error = MAD_ERROR_NONE;
75 +
76 /* begin processing */
77 stream->this_frame = ptr;
78 stream->next_frame = ptr + 1; /* possibly bogus sync word */
79 @@ -413,7 +427,7 @@ int mad_header_decode(struct mad_header
80 /* check that a valid frame header follows this frame */
82 ptr = stream->next_frame;
83 - if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
84 + if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
85 ptr = stream->next_frame = stream->this_frame + 1;
86 goto sync;
87 }
88 Index: libmad-0.15.1b/layer12.c
89 ===================================================================
90 --- libmad-0.15.1b.orig/layer12.c
91 +++ libmad-0.15.1b/layer12.c
92 @@ -72,10 +72,18 @@ mad_fixed_t const linear_table[14] = {
93 * DESCRIPTION: decode one requantized Layer I sample from a bitstream
94 */
95 static
96 -mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb)
97 +mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb, struct mad_stream *stream)
98 {
99 mad_fixed_t sample;
100 + struct mad_bitptr frameend_ptr;
102 + mad_bit_init(&frameend_ptr, stream->next_frame);
103 +
104 + if (mad_bit_length(ptr, &frameend_ptr) < nb) {
105 + stream->error = MAD_ERROR_LOSTSYNC;
106 + stream->sync = 0;
107 + return 0;
108 + }
109 sample = mad_bit_read(ptr, nb);
111 /* invert most significant bit, extend sign, then scale to fixed format */
112 @@ -106,6 +114,10 @@ int mad_layer_I(struct mad_stream *strea
113 struct mad_header *header = &frame->header;
114 unsigned int nch, bound, ch, s, sb, nb;
115 unsigned char allocation[2][32], scalefactor[2][32];
116 + struct mad_bitptr bufend_ptr, frameend_ptr;
117 +
118 + mad_bit_init(&bufend_ptr, stream->bufend);
119 + mad_bit_init(&frameend_ptr, stream->next_frame);
121 nch = MAD_NCHANNELS(header);
123 @@ -118,6 +130,11 @@ int mad_layer_I(struct mad_stream *strea
124 /* check CRC word */
126 if (header->flags & MAD_FLAG_PROTECTION) {
127 + if (mad_bit_length(&stream->ptr, &bufend_ptr)
128 + < 4 * (bound * nch + (32 - bound))) {
129 + stream->error = MAD_ERROR_BADCRC;
130 + return -1;
131 + }
132 header->crc_check =
133 mad_bit_crc(stream->ptr, 4 * (bound * nch + (32 - bound)),
134 header->crc_check);
135 @@ -133,6 +150,11 @@ int mad_layer_I(struct mad_stream *strea
137 for (sb = 0; sb < bound; ++sb) {
138 for (ch = 0; ch < nch; ++ch) {
139 + if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) {
140 + stream->error = MAD_ERROR_LOSTSYNC;
141 + stream->sync = 0;
142 + return -1;
143 + }
144 nb = mad_bit_read(&stream->ptr, 4);
146 if (nb == 15) {
147 @@ -145,6 +167,11 @@ int mad_layer_I(struct mad_stream *strea
148 }
150 for (sb = bound; sb < 32; ++sb) {
151 + if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) {
152 + stream->error = MAD_ERROR_LOSTSYNC;
153 + stream->sync = 0;
154 + return -1;
155 + }
156 nb = mad_bit_read(&stream->ptr, 4);
158 if (nb == 15) {
159 @@ -161,6 +188,11 @@ int mad_layer_I(struct mad_stream *strea
160 for (sb = 0; sb < 32; ++sb) {
161 for (ch = 0; ch < nch; ++ch) {
162 if (allocation[ch][sb]) {
163 + if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
164 + stream->error = MAD_ERROR_LOSTSYNC;
165 + stream->sync = 0;
166 + return -1;
167 + }
168 scalefactor[ch][sb] = mad_bit_read(&stream->ptr, 6);
170 # if defined(OPT_STRICT)
171 @@ -185,8 +217,10 @@ int mad_layer_I(struct mad_stream *strea
172 for (ch = 0; ch < nch; ++ch) {
173 nb = allocation[ch][sb];
174 frame->sbsample[ch][s][sb] = nb ?
175 - mad_f_mul(I_sample(&stream->ptr, nb),
176 + mad_f_mul(I_sample(&stream->ptr, nb, stream),
177 sf_table[scalefactor[ch][sb]]) : 0;
178 + if (stream->error != 0)
179 + return -1;
180 }
181 }
183 @@ -194,7 +228,14 @@ int mad_layer_I(struct mad_stream *strea
184 if ((nb = allocation[0][sb])) {
185 mad_fixed_t sample;
187 - sample = I_sample(&stream->ptr, nb);
188 + if (mad_bit_length(&stream->ptr, &frameend_ptr) < nb) {
189 + stream->error = MAD_ERROR_LOSTSYNC;
190 + stream->sync = 0;
191 + return -1;
192 + }
193 + sample = I_sample(&stream->ptr, nb, stream);
194 + if (stream->error != 0)
195 + return -1;
197 for (ch = 0; ch < nch; ++ch) {
198 frame->sbsample[ch][s][sb] =
199 @@ -280,13 +321,21 @@ struct quantclass {
200 static
201 void II_samples(struct mad_bitptr *ptr,
202 struct quantclass const *quantclass,
203 - mad_fixed_t output[3])
204 + mad_fixed_t output[3], struct mad_stream *stream)
205 {
206 unsigned int nb, s, sample[3];
207 + struct mad_bitptr frameend_ptr;
208 +
209 + mad_bit_init(&frameend_ptr, stream->next_frame);
211 if ((nb = quantclass->group)) {
212 unsigned int c, nlevels;
214 + if (mad_bit_length(ptr, &frameend_ptr) < quantclass->bits) {
215 + stream->error = MAD_ERROR_LOSTSYNC;
216 + stream->sync = 0;
217 + return;
218 + }
219 /* degrouping */
220 c = mad_bit_read(ptr, quantclass->bits);
221 nlevels = quantclass->nlevels;
222 @@ -299,8 +348,14 @@ void II_samples(struct mad_bitptr *ptr,
223 else {
224 nb = quantclass->bits;
226 - for (s = 0; s < 3; ++s)
227 + for (s = 0; s < 3; ++s) {
228 + if (mad_bit_length(ptr, &frameend_ptr) < nb) {
229 + stream->error = MAD_ERROR_LOSTSYNC;
230 + stream->sync = 0;
231 + return;
232 + }
233 sample[s] = mad_bit_read(ptr, nb);
234 + }
235 }
237 for (s = 0; s < 3; ++s) {
238 @@ -336,6 +391,9 @@ int mad_layer_II(struct mad_stream *stre
239 unsigned char const *offsets;
240 unsigned char allocation[2][32], scfsi[2][32], scalefactor[2][32][3];
241 mad_fixed_t samples[3];
242 + struct mad_bitptr frameend_ptr;
243 +
244 + mad_bit_init(&frameend_ptr, stream->next_frame);
246 nch = MAD_NCHANNELS(header);
248 @@ -402,13 +460,24 @@ int mad_layer_II(struct mad_stream *stre
249 for (sb = 0; sb < bound; ++sb) {
250 nbal = bitalloc_table[offsets[sb]].nbal;
252 - for (ch = 0; ch < nch; ++ch)
253 + for (ch = 0; ch < nch; ++ch) {
254 + if (mad_bit_length(&stream->ptr, &frameend_ptr) < nbal) {
255 + stream->error = MAD_ERROR_LOSTSYNC;
256 + stream->sync = 0;
257 + return -1;
258 + }
259 allocation[ch][sb] = mad_bit_read(&stream->ptr, nbal);
260 + }
261 }
263 for (sb = bound; sb < sblimit; ++sb) {
264 nbal = bitalloc_table[offsets[sb]].nbal;
266 + if (mad_bit_length(&stream->ptr, &frameend_ptr) < nbal) {
267 + stream->error = MAD_ERROR_LOSTSYNC;
268 + stream->sync = 0;
269 + return -1;
270 + }
271 allocation[0][sb] =
272 allocation[1][sb] = mad_bit_read(&stream->ptr, nbal);
273 }
274 @@ -417,8 +486,14 @@ int mad_layer_II(struct mad_stream *stre
276 for (sb = 0; sb < sblimit; ++sb) {
277 for (ch = 0; ch < nch; ++ch) {
278 - if (allocation[ch][sb])
279 + if (allocation[ch][sb]) {
280 + if (mad_bit_length(&stream->ptr, &frameend_ptr) < 2) {
281 + stream->error = MAD_ERROR_LOSTSYNC;
282 + stream->sync = 0;
283 + return -1;
284 + }
285 scfsi[ch][sb] = mad_bit_read(&stream->ptr, 2);
286 + }
287 }
288 }
290 @@ -441,6 +516,11 @@ int mad_layer_II(struct mad_stream *stre
291 for (sb = 0; sb < sblimit; ++sb) {
292 for (ch = 0; ch < nch; ++ch) {
293 if (allocation[ch][sb]) {
294 + if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
295 + stream->error = MAD_ERROR_LOSTSYNC;
296 + stream->sync = 0;
297 + return -1;
298 + }
299 scalefactor[ch][sb][0] = mad_bit_read(&stream->ptr, 6);
301 switch (scfsi[ch][sb]) {
302 @@ -451,11 +531,21 @@ int mad_layer_II(struct mad_stream *stre
303 break;
305 case 0:
306 + if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
307 + stream->error = MAD_ERROR_LOSTSYNC;
308 + stream->sync = 0;
309 + return -1;
310 + }
311 scalefactor[ch][sb][1] = mad_bit_read(&stream->ptr, 6);
312 /* fall through */
314 case 1:
315 case 3:
316 + if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
317 + stream->error = MAD_ERROR_LOSTSYNC;
318 + stream->sync = 0;
319 + return -1;
320 + }
321 scalefactor[ch][sb][2] = mad_bit_read(&stream->ptr, 6);
322 }
324 @@ -487,7 +577,9 @@ int mad_layer_II(struct mad_stream *stre
325 if ((index = allocation[ch][sb])) {
326 index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
328 - II_samples(&stream->ptr, &qc_table[index], samples);
329 + II_samples(&stream->ptr, &qc_table[index], samples, stream);
330 + if (stream->error != 0)
331 + return -1;
333 for (s = 0; s < 3; ++s) {
334 frame->sbsample[ch][3 * gr + s][sb] =
335 @@ -505,7 +597,9 @@ int mad_layer_II(struct mad_stream *stre
336 if ((index = allocation[0][sb])) {
337 index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
339 - II_samples(&stream->ptr, &qc_table[index], samples);
340 + II_samples(&stream->ptr, &qc_table[index], samples, stream);
341 + if (stream->error != 0)
342 + return -1;
344 for (ch = 0; ch < nch; ++ch) {
345 for (s = 0; s < 3; ++s) {
346 Index: libmad-0.15.1b/layer3.c
347 ===================================================================
348 --- libmad-0.15.1b.orig/layer3.c
349 +++ libmad-0.15.1b/layer3.c
350 @@ -598,7 +598,8 @@ enum mad_error III_sideinfo(struct mad_b
351 static
352 unsigned int III_scalefactors_lsf(struct mad_bitptr *ptr,
353 struct channel *channel,
354 - struct channel *gr1ch, int mode_extension)
355 + struct channel *gr1ch, int mode_extension,
356 + unsigned int bits_left, unsigned int *part2_length)
357 {
358 struct mad_bitptr start;
359 unsigned int scalefac_compress, index, slen[4], part, n, i;
360 @@ -644,8 +645,12 @@ unsigned int III_scalefactors_lsf(struct
362 n = 0;
363 for (part = 0; part < 4; ++part) {
364 - for (i = 0; i < nsfb[part]; ++i)
365 + for (i = 0; i < nsfb[part]; ++i) {
366 + if (bits_left < slen[part])
367 + return MAD_ERROR_BADSCFSI;
368 channel->scalefac[n++] = mad_bit_read(ptr, slen[part]);
369 + bits_left -= slen[part];
370 + }
371 }
373 while (n < 39)
374 @@ -690,7 +695,10 @@ unsigned int III_scalefactors_lsf(struct
375 max = (1 << slen[part]) - 1;
377 for (i = 0; i < nsfb[part]; ++i) {
378 + if (bits_left < slen[part])
379 + return MAD_ERROR_BADSCFSI;
380 is_pos = mad_bit_read(ptr, slen[part]);
381 + bits_left -= slen[part];
383 channel->scalefac[n] = is_pos;
384 gr1ch->scalefac[n++] = (is_pos == max);
385 @@ -703,7 +711,8 @@ unsigned int III_scalefactors_lsf(struct
386 }
387 }
389 - return mad_bit_length(&start, ptr);
390 + *part2_length = mad_bit_length(&start, ptr);
391 + return MAD_ERROR_NONE;
392 }
394 /*
395 @@ -712,7 +721,8 @@ unsigned int III_scalefactors_lsf(struct
396 */
397 static
398 unsigned int III_scalefactors(struct mad_bitptr *ptr, struct channel *channel,
399 - struct channel const *gr0ch, unsigned int scfsi)
400 + struct channel const *gr0ch, unsigned int scfsi,
401 + unsigned int bits_left, unsigned int *part2_length)
402 {
403 struct mad_bitptr start;
404 unsigned int slen1, slen2, sfbi;
405 @@ -728,12 +738,20 @@ unsigned int III_scalefactors(struct mad
406 sfbi = 0;
408 nsfb = (channel->flags & mixed_block_flag) ? 8 + 3 * 3 : 6 * 3;
409 - while (nsfb--)
410 + while (nsfb--) {
411 + if (bits_left < slen1)
412 + return MAD_ERROR_BADSCFSI;
413 channel->scalefac[sfbi++] = mad_bit_read(ptr, slen1);
414 + bits_left -= slen1;
415 + }
417 nsfb = 6 * 3;
418 - while (nsfb--)
419 + while (nsfb--) {
420 + if (bits_left < slen2)
421 + return MAD_ERROR_BADSCFSI;
422 channel->scalefac[sfbi++] = mad_bit_read(ptr, slen2);
423 + bits_left -= slen2;
424 + }
426 nsfb = 1 * 3;
427 while (nsfb--)
428 @@ -745,8 +763,12 @@ unsigned int III_scalefactors(struct mad
429 channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
430 }
431 else {
432 - for (sfbi = 0; sfbi < 6; ++sfbi)
433 + for (sfbi = 0; sfbi < 6; ++sfbi) {
434 + if (bits_left < slen1)
435 + return MAD_ERROR_BADSCFSI;
436 channel->scalefac[sfbi] = mad_bit_read(ptr, slen1);
437 + bits_left -= slen1;
438 + }
439 }
441 if (scfsi & 0x4) {
442 @@ -754,8 +776,12 @@ unsigned int III_scalefactors(struct mad
443 channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
444 }
445 else {
446 - for (sfbi = 6; sfbi < 11; ++sfbi)
447 + for (sfbi = 6; sfbi < 11; ++sfbi) {
448 + if (bits_left < slen1)
449 + return MAD_ERROR_BADSCFSI;
450 channel->scalefac[sfbi] = mad_bit_read(ptr, slen1);
451 + bits_left -= slen1;
452 + }
453 }
455 if (scfsi & 0x2) {
456 @@ -763,8 +789,12 @@ unsigned int III_scalefactors(struct mad
457 channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
458 }
459 else {
460 - for (sfbi = 11; sfbi < 16; ++sfbi)
461 + for (sfbi = 11; sfbi < 16; ++sfbi) {
462 + if (bits_left < slen2)
463 + return MAD_ERROR_BADSCFSI;
464 channel->scalefac[sfbi] = mad_bit_read(ptr, slen2);
465 + bits_left -= slen2;
466 + }
467 }
469 if (scfsi & 0x1) {
470 @@ -772,14 +802,19 @@ unsigned int III_scalefactors(struct mad
471 channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
472 }
473 else {
474 - for (sfbi = 16; sfbi < 21; ++sfbi)
475 + for (sfbi = 16; sfbi < 21; ++sfbi) {
476 + if (bits_left < slen2)
477 + return MAD_ERROR_BADSCFSI;
478 channel->scalefac[sfbi] = mad_bit_read(ptr, slen2);
479 + bits_left -= slen2;
480 + }
481 }
483 channel->scalefac[21] = 0;
484 }
486 - return mad_bit_length(&start, ptr);
487 + *part2_length = mad_bit_length(&start, ptr);
488 + return MAD_ERROR_NONE;
489 }
491 /*
492 @@ -933,19 +968,17 @@ static
493 enum mad_error III_huffdecode(struct mad_bitptr *ptr, mad_fixed_t xr[576],
494 struct channel *channel,
495 unsigned char const *sfbwidth,
496 - unsigned int part2_length)
497 + signed int part3_length)
498 {
499 signed int exponents[39], exp;
500 signed int const *expptr;
501 struct mad_bitptr peek;
502 - signed int bits_left, cachesz;
503 + signed int bits_left, cachesz, fakebits;
504 register mad_fixed_t *xrptr;
505 mad_fixed_t const *sfbound;
506 register unsigned long bitcache;
508 - bits_left = (signed) channel->part2_3_length - (signed) part2_length;
509 - if (bits_left < 0)
510 - return MAD_ERROR_BADPART3LEN;
511 + bits_left = part3_length;
513 III_exponents(channel, sfbwidth, exponents);
515 @@ -956,8 +989,12 @@ enum mad_error III_huffdecode(struct mad
516 cachesz = mad_bit_bitsleft(&peek);
517 cachesz += ((32 - 1 - 24) + (24 - cachesz)) & ~7;
519 + if (bits_left < cachesz) {
520 + cachesz = bits_left;
521 + }
522 bitcache = mad_bit_read(&peek, cachesz);
523 bits_left -= cachesz;
524 + fakebits = 0;
526 xrptr = &xr[0];
528 @@ -986,7 +1023,7 @@ enum mad_error III_huffdecode(struct mad
530 big_values = channel->big_values;
532 - while (big_values-- && cachesz + bits_left > 0) {
533 + while (big_values-- && cachesz + bits_left - fakebits > 0) {
534 union huffpair const *pair;
535 unsigned int clumpsz, value;
536 register mad_fixed_t requantized;
537 @@ -1023,10 +1060,19 @@ enum mad_error III_huffdecode(struct mad
538 unsigned int bits;
540 bits = ((32 - 1 - 21) + (21 - cachesz)) & ~7;
541 + if (bits_left < bits) {
542 + bits = bits_left;
543 + }
544 bitcache = (bitcache << bits) | mad_bit_read(&peek, bits);
545 cachesz += bits;
546 bits_left -= bits;
547 }
548 + if (cachesz < 21) {
549 + unsigned int bits = 21 - cachesz;
550 + bitcache <<= bits;
551 + cachesz += bits;
552 + fakebits += bits;
553 + }
555 /* hcod (0..19) */
557 @@ -1041,6 +1087,8 @@ enum mad_error III_huffdecode(struct mad
558 }
560 cachesz -= pair->value.hlen;
561 + if (cachesz < fakebits)
562 + return MAD_ERROR_BADHUFFDATA;
564 if (linbits) {
565 /* x (0..14) */
566 @@ -1054,10 +1102,15 @@ enum mad_error III_huffdecode(struct mad
568 case 15:
569 if (cachesz < linbits + 2) {
570 - bitcache = (bitcache << 16) | mad_bit_read(&peek, 16);
571 - cachesz += 16;
572 - bits_left -= 16;
573 + unsigned int bits = 16;
574 + if (bits_left < 16)
575 + bits = bits_left;
576 + bitcache = (bitcache << bits) | mad_bit_read(&peek, bits);
577 + cachesz += bits;
578 + bits_left -= bits;
579 }
580 + if (cachesz - fakebits < linbits)
581 + return MAD_ERROR_BADHUFFDATA;
583 value += MASK(bitcache, cachesz, linbits);
584 cachesz -= linbits;
585 @@ -1074,6 +1127,8 @@ enum mad_error III_huffdecode(struct mad
586 }
588 x_final:
589 + if (cachesz - fakebits < 1)
590 + return MAD_ERROR_BADHUFFDATA;
591 xrptr[0] = MASK1BIT(bitcache, cachesz--) ?
592 -requantized : requantized;
593 }
594 @@ -1089,10 +1144,15 @@ enum mad_error III_huffdecode(struct mad
596 case 15:
597 if (cachesz < linbits + 1) {
598 - bitcache = (bitcache << 16) | mad_bit_read(&peek, 16);
599 - cachesz += 16;
600 - bits_left -= 16;
601 + unsigned int bits = 16;
602 + if (bits_left < 16)
603 + bits = bits_left;
604 + bitcache = (bitcache << bits) | mad_bit_read(&peek, bits);
605 + cachesz += bits;
606 + bits_left -= bits;
607 }
608 + if (cachesz - fakebits < linbits)
609 + return MAD_ERROR_BADHUFFDATA;
611 value += MASK(bitcache, cachesz, linbits);
612 cachesz -= linbits;
613 @@ -1109,6 +1169,8 @@ enum mad_error III_huffdecode(struct mad
614 }
616 y_final:
617 + if (cachesz - fakebits < 1)
618 + return MAD_ERROR_BADHUFFDATA;
619 xrptr[1] = MASK1BIT(bitcache, cachesz--) ?
620 -requantized : requantized;
621 }
622 @@ -1128,6 +1190,8 @@ enum mad_error III_huffdecode(struct mad
623 requantized = reqcache[value] = III_requantize(value, exp);
624 }
626 + if (cachesz - fakebits < 1)
627 + return MAD_ERROR_BADHUFFDATA;
628 xrptr[0] = MASK1BIT(bitcache, cachesz--) ?
629 -requantized : requantized;
630 }
631 @@ -1146,6 +1210,8 @@ enum mad_error III_huffdecode(struct mad
632 requantized = reqcache[value] = III_requantize(value, exp);
633 }
635 + if (cachesz - fakebits < 1)
636 + return MAD_ERROR_BADHUFFDATA;
637 xrptr[1] = MASK1BIT(bitcache, cachesz--) ?
638 -requantized : requantized;
639 }
640 @@ -1155,9 +1221,6 @@ enum mad_error III_huffdecode(struct mad
641 }
642 }
644 - if (cachesz + bits_left < 0)
645 - return MAD_ERROR_BADHUFFDATA; /* big_values overrun */
646 -
647 /* count1 */
648 {
649 union huffquad const *table;
650 @@ -1167,15 +1230,24 @@ enum mad_error III_huffdecode(struct mad
652 requantized = III_requantize(1, exp);
654 - while (cachesz + bits_left > 0 && xrptr <= &xr[572]) {
655 + while (cachesz + bits_left - fakebits > 0 && xrptr <= &xr[572]) {
656 union huffquad const *quad;
658 /* hcod (1..6) */
660 if (cachesz < 10) {
661 - bitcache = (bitcache << 16) | mad_bit_read(&peek, 16);
662 - cachesz += 16;
663 - bits_left -= 16;
664 + unsigned int bits = 16;
665 + if (bits_left < 16)
666 + bits = bits_left;
667 + bitcache = (bitcache << bits) | mad_bit_read(&peek, bits);
668 + cachesz += bits;
669 + bits_left -= bits;
670 + }
671 + if (cachesz < 10) {
672 + unsigned int bits = 10 - cachesz;
673 + bitcache <<= bits;
674 + cachesz += bits;
675 + fakebits += bits;
676 }
678 quad = &table[MASK(bitcache, cachesz, 4)];
679 @@ -1188,6 +1260,11 @@ enum mad_error III_huffdecode(struct mad
680 MASK(bitcache, cachesz, quad->ptr.bits)];
681 }
683 + if (cachesz - fakebits < quad->value.hlen + quad->value.v
684 + + quad->value.w + quad->value.x + quad->value.y)
685 + /* We don't have enough bits to read one more entry, consider them
686 + * stuffing bits. */
687 + break;
688 cachesz -= quad->value.hlen;
690 if (xrptr == sfbound) {
691 @@ -1236,22 +1313,8 @@ enum mad_error III_huffdecode(struct mad
693 xrptr += 2;
694 }
695 -
696 - if (cachesz + bits_left < 0) {
697 -# if 0 && defined(DEBUG)
698 - fprintf(stderr, "huffman count1 overrun (%d bits)\n",
699 - -(cachesz + bits_left));
700 -# endif
701 -
702 - /* technically the bitstream is misformatted, but apparently
703 - some encoders are just a bit sloppy with stuffing bits */
704 -
705 - xrptr -= 4;
706 - }
707 }
709 - assert(-bits_left <= MAD_BUFFER_GUARD * CHAR_BIT);
710 -
711 # if 0 && defined(DEBUG)
712 if (bits_left < 0)
713 fprintf(stderr, "read %d bits too many\n", -bits_left);
714 @@ -2348,10 +2411,11 @@ void III_freqinver(mad_fixed_t sample[18
715 */
716 static
717 enum mad_error III_decode(struct mad_bitptr *ptr, struct mad_frame *frame,
718 - struct sideinfo *si, unsigned int nch)
719 + struct sideinfo *si, unsigned int nch, unsigned int md_len)
720 {
721 struct mad_header *header = &frame->header;
722 unsigned int sfreqi, ngr, gr;
723 + int bits_left = md_len * CHAR_BIT;
725 {
726 unsigned int sfreq;
727 @@ -2383,6 +2447,7 @@ enum mad_error III_decode(struct mad_bit
728 for (ch = 0; ch < nch; ++ch) {
729 struct channel *channel = &granule->ch[ch];
730 unsigned int part2_length;
731 + unsigned int part3_length;
733 sfbwidth[ch] = sfbwidth_table[sfreqi].l;
734 if (channel->block_type == 2) {
735 @@ -2391,18 +2456,30 @@ enum mad_error III_decode(struct mad_bit
736 }
738 if (header->flags & MAD_FLAG_LSF_EXT) {
739 - part2_length = III_scalefactors_lsf(ptr, channel,
740 + error = III_scalefactors_lsf(ptr, channel,
741 ch == 0 ? 0 : &si->gr[1].ch[1],
742 - header->mode_extension);
743 + header->mode_extension, bits_left, &part2_length);
744 }
745 else {
746 - part2_length = III_scalefactors(ptr, channel, &si->gr[0].ch[ch],
747 - gr == 0 ? 0 : si->scfsi[ch]);
748 + error = III_scalefactors(ptr, channel, &si->gr[0].ch[ch],
749 + gr == 0 ? 0 : si->scfsi[ch], bits_left, &part2_length);
750 }
751 + if (error)
752 + return error;
753 +
754 + bits_left -= part2_length;
756 - error = III_huffdecode(ptr, xr[ch], channel, sfbwidth[ch], part2_length);
757 + if (part2_length > channel->part2_3_length)
758 + return MAD_ERROR_BADPART3LEN;
759 +
760 + part3_length = channel->part2_3_length - part2_length;
761 + if (part3_length > bits_left)
762 + return MAD_ERROR_BADPART3LEN;
763 +
764 + error = III_huffdecode(ptr, xr[ch], channel, sfbwidth[ch], part3_length);
765 if (error)
766 return error;
767 + bits_left -= part3_length;
768 }
770 /* joint stereo processing */
771 @@ -2519,11 +2596,13 @@ int mad_layer_III(struct mad_stream *str
772 unsigned int nch, priv_bitlen, next_md_begin = 0;
773 unsigned int si_len, data_bitlen, md_len;
774 unsigned int frame_space, frame_used, frame_free;
775 - struct mad_bitptr ptr;
776 + struct mad_bitptr ptr, bufend_ptr;
777 struct sideinfo si;
778 enum mad_error error;
779 int result = 0;
781 + mad_bit_init(&bufend_ptr, stream->bufend);
782 +
783 /* allocate Layer III dynamic structures */
785 if (stream->main_data == 0) {
786 @@ -2587,14 +2666,15 @@ int mad_layer_III(struct mad_stream *str
787 unsigned long header;
789 mad_bit_init(&peek, stream->next_frame);
790 + if (mad_bit_length(&peek, &bufend_ptr) >= 57) {
791 + header = mad_bit_read(&peek, 32);
792 + if ((header & 0xffe60000L) /* syncword | layer */ == 0xffe20000L) {
793 + if (!(header & 0x00010000L)) /* protection_bit */
794 + mad_bit_skip(&peek, 16); /* crc_check */
796 - header = mad_bit_read(&peek, 32);
797 - if ((header & 0xffe60000L) /* syncword | layer */ == 0xffe20000L) {
798 - if (!(header & 0x00010000L)) /* protection_bit */
799 - mad_bit_skip(&peek, 16); /* crc_check */
800 -
801 - next_md_begin =
802 - mad_bit_read(&peek, (header & 0x00080000L) /* ID */ ? 9 : 8);
803 + next_md_begin =
804 + mad_bit_read(&peek, (header & 0x00080000L) /* ID */ ? 9 : 8);
805 + }
806 }
808 mad_bit_finish(&peek);
809 @@ -2653,7 +2733,7 @@ int mad_layer_III(struct mad_stream *str
810 /* decode main_data */
812 if (result == 0) {
813 - error = III_decode(&ptr, frame, &si, nch);
814 + error = III_decode(&ptr, frame, &si, nch, md_len);
815 if (error) {
816 stream->error = error;
817 result = -1;