From 5ffc16b6a8ab99e5470cd23645fd3a12a04c6a0e Mon Sep 17 00:00:00 2001 From: "tomfinegan@chromium.org" Date: Fri, 8 Feb 2013 22:26:44 +0000 Subject: media: Fix out of bounds read in OpusAudioDecoder. ParseHeader() in opus_audio_decoder.cc was using kMaxVorbisChannels instead of the actual channel count in the header to read the stream map. Also made a CHECK message more informative. BUG=173880 Review URL: https://chromiumcodereview.appspot.com/12223057 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@181562 0039d316-1c4b-4281-b951-d872f2087c98 --- media/filters/opus_audio_decoder.cc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'media') diff --git a/media/filters/opus_audio_decoder.cc b/media/filters/opus_audio_decoder.cc index 5c6eca8..4a56033 100644 --- a/media/filters/opus_audio_decoder.cc +++ b/media/filters/opus_audio_decoder.cc @@ -227,7 +227,8 @@ static void ParseOpusHeader(const uint8* data, int data_size, } CHECK_GE(data_size, kOpusHeaderStreamMapOffset + header->channels) - << "Invalid stream map."; + << "Invalid stream map; insufficient data for current channel count: " + << header->channels; header->num_streams = *(data + kOpusHeaderNumStreamsOffset); header->num_coupled = *(data + kOpusHeaderNumCoupledOffset); @@ -235,7 +236,7 @@ static void ParseOpusHeader(const uint8* data, int data_size, if (header->num_streams + header->num_coupled != header->channels) LOG(WARNING) << "Inconsistent channel mapping."; - for (int i = 0; i < kMaxVorbisChannels; ++i) + for (int i = 0; i < header->channels; ++i) header->stream_map[i] = *(data + kOpusHeaderStreamMapOffset + i); } -- cgit v1.1