diff options
author | sergeyu@chromium.org <sergeyu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-12-17 18:44:37 +0000 |
---|---|---|
committer | sergeyu@chromium.org <sergeyu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-12-17 18:44:37 +0000 |
commit | 79181daa729bbfd77c8bf51dbcac8aac1593ccba (patch) | |
tree | 308d222aa9a74366798771eb11530b8e6f3545ce | |
parent | 660e25f9ad9e0b421241dcf675c6883fecb859cd (diff) | |
download | src-79181daa729bbfd77c8bf51dbcac8aac1593ccba.tar.gz |
Fix possible integer overflow in Opus with ~16MB fed to the decoder.
BUG=160480
Review URL: https://codereview.chromium.org/11575026
Patch from Jüri Aedla <aedla@chromium.org>.
git-svn-id: svn://svn.chromium.org/chrome/trunk/deps/third_party/opus@173498 0039d316-1c4b-4281-b951-d872f2087c98
-rw-r--r-- | src/opus_decoder.c | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/src/opus_decoder.c b/src/opus_decoder.c index 161bd02..f0188cd 100644 --- a/src/opus_decoder.c +++ b/src/opus_decoder.c @@ -612,16 +612,14 @@ static int opus_packet_parse_impl(const unsigned char *data, opus_int32 len, /* Padding flag is bit 6 */ if (ch&0x40) { - int padding=0; int p; do { if (len<=0) return OPUS_INVALID_PACKET; p = *data++; len--; - padding += p==255 ? 254: p; + len -= p==255 ? 254: p; } while (p==255); - len -= padding; } if (len<0) return OPUS_INVALID_PACKET; |