Copied from Debian. From: Kurt Roeckx Date: Sun, 28 Jan 2018 15:44:08 +0100 Subject: Check the size of the main data The main data to decode a frame can come from the current frame and part of the previous frame, the so called bit reservoir. si.main_data_begin is the part of the previous frame we need for this frame. frame_space is the amount of main data that can be in this frame, and next_md_begin is the part of this frame that is going to be used for the next frame. The maximum amount of data from a previous frame that the format allows is 511 bytes. The maximum frame size for the defined bitrates is at MPEG 2.5 layer 2 at 320 kbit/s and 8 kHz sample rate which gives 72 * (320000 / 8000) + 1 = 2881. So those defines are not large enough: # define MAD_BUFFER_GUARD 8 # define MAD_BUFFER_MDLEN (511 + 2048 + MAD_BUFFER_GUARD) There is also support for a "free" bitrate which allows you to create any frame size, which can be larger than the buffer. Changing the defines is not an option since it's part of the ABI, so we check that the main data fits in the bufer. The previous frame data is stored in *stream->main_data and contains stream->md_len bytes. If stream->md_len is larger than the data we need from the previous frame (si.main_data_begin) it still wouldn't fit in the buffer, so just keep the data that we need. Index: libmad-0.15.1b/layer3.c =================================================================== --- libmad-0.15.1b.orig/layer3.c +++ libmad-0.15.1b/layer3.c @@ -2608,6 +2608,11 @@ int mad_layer_III(struct mad_stream *str next_md_begin = 0; md_len = si.main_data_begin + frame_space - next_md_begin; + if (md_len + MAD_BUFFER_GUARD > MAD_BUFFER_MDLEN) { + stream->error = MAD_ERROR_LOSTSYNC; + stream->sync = 0; + return -1; + } frame_used = 0; @@ -2625,8 +2630,11 @@ int mad_layer_III(struct mad_stream *str } } else { - mad_bit_init(&ptr, - *stream->main_data + stream->md_len - si.main_data_begin); + memmove(stream->main_data, + *stream->main_data + stream->md_len - si.main_data_begin, + si.main_data_begin); + stream->md_len = si.main_data_begin; + mad_bit_init(&ptr, *stream->main_data); if (md_len > si.main_data_begin) { assert(stream->md_len + md_len - build.cc?id=e67c908c62384d385fae1d56023a97bf9393151e'>build.cc
AgeCommit message (Expand)Author
2022-06-05daemon: Quote consistently within a string....Tobias Geerinckx-Rice
2022-05-29daemon: Clarify ‘--check’ error when outputs are missing....Tobias Geerinckx-Rice
2022-05-18daemon: runChild() is forbidden to talk during environment set up...yarl-baudig@mailoo.org
2021-11-25daemon: Read substitute nar size as 'unsigned long long'....Ludovic Courtès
2021-04-09daemon: 'guix substitute' replies on FD 4....Ludovic Courtès
2021-03-18daemon: Prevent privilege escalation with '--keep-failed' [security]....Ludovic Courtès
2020-12-19daemon: Delegate deduplication to 'guix substitute'....Ludovic Courtès
2020-12-19daemon: Do not reset timestamps and permissions on substituted items....Ludovic Courtès
2020-12-19daemon: Let 'guix substitute' perform hash checks....Ludovic Courtès
2020-12-08daemon: Raise an error if substituter doesn't send the expected hash....Ludovic Courtès
2020-12-08substitute: Cache and reuse connections while substituting....Ludovic Courtès
2020-12-08daemon: Run 'guix substitute --substitute' as an agent....Ludovic Courtès
2020-12-08daemon: Use 'Agent' to spawn 'guix substitute --query'....Ludovic Courtès
2020-12-01daemon: Remove unneeded forward declaration....Ludovic Courtès
2020-11-29daemon: Remove pre-Guix hack....Ludovic Courtès
2020-10-09nix: Honor '--rounds' when also using '--check'....Maxim Cournoyer