diff options
| author | sergeyu@chromium.org <sergeyu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-11-07 06:58:28 +0000 |
|---|---|---|
| committer | sergeyu@chromium.org <sergeyu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-11-07 06:58:28 +0000 |
| commit | ee8e597c133630c4dce99781a54f726c8d695e6f (patch) | |
| tree | c2fd943114f04bad87ffcea5be1925b49e26002d /remoting | |
| parent | e6085c3b338ac55baad91357a009339d839931a3 (diff) | |
| download | chromium_src-ee8e597c133630c4dce99781a54f726c8d695e6f.zip chromium_src-ee8e597c133630c4dce99781a54f726c8d695e6f.tar.gz chromium_src-ee8e597c133630c4dce99781a54f726c8d695e6f.tar.bz2 | |
Limit number of frames per audio packet in Opus and Speex decoders.
Previously Opus and Speex decoders didn't validate number of frames in
the incoming packets, so there was a potential buffer overflow when
there are enough frames in a packet to cause integer overflow.
BUG=159553,159229
Review URL: https://chromiumcodereview.appspot.com/11368112
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@166368 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'remoting')
| -rw-r--r-- | remoting/codec/audio_decoder_opus.cc | 16 | ||||
| -rw-r--r-- | remoting/codec/audio_decoder_speex.cc | 11 |
2 files changed, 23 insertions, 4 deletions
diff --git a/remoting/codec/audio_decoder_opus.cc b/remoting/codec/audio_decoder_opus.cc index a2b601f..888e4bc 100644 --- a/remoting/codec/audio_decoder_opus.cc +++ b/remoting/codec/audio_decoder_opus.cc @@ -14,7 +14,11 @@ namespace remoting { namespace { -const int kMaxPacketSizeMs = 120; +// Maximum size of an Opus frame in milliseconds. +const int kMaxFrameSizeMs = 120; + +// Hosts will never generate more than 100 frames in a single packet. +const int kMaxFramesPerPacket = 100; const AudioPacket::SamplingRate kSamplingRate = AudioPacket::SAMPLING_RATE_48000; @@ -75,8 +79,12 @@ bool AudioDecoderOpus::ResetForPacket(AudioPacket* packet) { scoped_ptr<AudioPacket> AudioDecoderOpus::Decode( scoped_ptr<AudioPacket> packet) { if (packet->encoding() != AudioPacket::ENCODING_OPUS) { - LOG(WARNING) << "Received a packet with encoding " << packet->encoding() - << "when an OPUS packet was expected."; + LOG(WARNING) << "Received an audio packet with encoding " + << packet->encoding() << " when an OPUS packet was expected."; + return scoped_ptr<AudioPacket>(); + } + if (packet->data_size() > kMaxFramesPerPacket) { + LOG(WARNING) << "Received an packet with too many frames."; return scoped_ptr<AudioPacket>(); } @@ -91,7 +99,7 @@ scoped_ptr<AudioPacket> AudioDecoderOpus::Decode( decoded_packet->set_bytes_per_sample(AudioPacket::BYTES_PER_SAMPLE_2); decoded_packet->set_channels(packet->channels()); - int max_frame_samples = kMaxPacketSizeMs * kSamplingRate / + int max_frame_samples = kMaxFrameSizeMs * kSamplingRate / base::Time::kMillisecondsPerSecond; int max_frame_bytes = max_frame_samples * channels_ * decoded_packet->bytes_per_sample(); diff --git a/remoting/codec/audio_decoder_speex.cc b/remoting/codec/audio_decoder_speex.cc index 89289b8..61b4dbc 100644 --- a/remoting/codec/audio_decoder_speex.cc +++ b/remoting/codec/audio_decoder_speex.cc @@ -15,6 +15,13 @@ namespace remoting { +namespace { + +// Hosts will never generate more than 100 frames in a single packet. +const int kMaxFramesPerPacket = 100; + +} // namespace + AudioDecoderSpeex::AudioDecoderSpeex() { // Create and initialize the Speex structures. speex_bits_.reset(new SpeexBits()); @@ -68,6 +75,10 @@ scoped_ptr<AudioPacket> AudioDecoderSpeex::Decode( LOG(WARNING) << "Received an unsupported packet."; return scoped_ptr<AudioPacket>(NULL); } + if (packet->data_size() > kMaxFramesPerPacket) { + LOG(WARNING) << "Received an packet with too many frames."; + return scoped_ptr<AudioPacket>(); + } // Create a new packet of decoded data. scoped_ptr<AudioPacket> decoded_packet(new AudioPacket()); |