Fix possible integer overflow in Opus with ~16MB fed to the decoder.

BUG=160480 Review URL: https://codereview.chromium.org/11575026 Patch from Jüri Aedla <aedla@chromium.org>. git-svn-id: svn://svn.chromium.org/chrome/trunk/deps/third_party/opus@173498 0039d316-1c4b-4281-b951-d872f2087c98
author: sergeyu@chromium.org <sergeyu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2012-12-17 18:44:37 +0000
committer: sergeyu@chromium.org <sergeyu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2012-12-17 18:44:37 +0000
commit: 79181daa729bbfd77c8bf51dbcac8aac1593ccba (patch)
tree: 308d222aa9a74366798771eb11530b8e6f3545ce
parent: 660e25f9ad9e0b421241dcf675c6883fecb859cd (diff)
download: src-79181daa729bbfd77c8bf51dbcac8aac1593ccba.tar.gz
1 files changed, 1 insertions, 3 deletions
diff --git a/src/opus_decoder.c b/src/opus_decoder.c
index 161bd02..f0188cd 100644
--- a/src/opus_decoder.c
+++ b/src/opus_decoder.c
@@ -612,16 +612,14 @@ static int opus_packet_parse_impl(const unsigned char *data, opus_int32 len,
       /* Padding flag is bit 6 */
       if (ch&0x40)
       {
-         int padding=0;
          int p;
          do {
             if (len<=0)
                return OPUS_INVALID_PACKET;
             p = *data++;
             len--;
-            padding += p==255 ? 254: p;
+            len -= p==255 ? 254: p;
          } while (p==255);
-         len -= padding;
       }
       if (len<0)
          return OPUS_INVALID_PACKET;
author	sergeyu@chromium.org <sergeyu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2012-12-17 18:44:37 +0000
committer	sergeyu@chromium.org <sergeyu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2012-12-17 18:44:37 +0000
commit	79181daa729bbfd77c8bf51dbcac8aac1593ccba (patch)
tree	308d222aa9a74366798771eb11530b8e6f3545ce
parent	660e25f9ad9e0b421241dcf675c6883fecb859cd (diff)
download	src-79181daa729bbfd77c8bf51dbcac8aac1593ccba.tar.gz