Fixes an out-of-bounds read issue with the padding handling code

This was reported by Juri Aedla and is limited to reading memory up to about 60 kB beyond the compressed buffer. This can only be triggered by a compressed packet more than about 16 MB long, so it's not a problem for RTP. In theory, it *could* crash an Ogg decoder if the memory just after the incoming packet is out-of-range.
author: Jean-Marc Valin <jmvalin@jmvalin.ca> 2012-12-01 02:36:36 +0400
committer: Jean-Marc Valin <jmvalin@jmvalin.ca> 2013-03-12 21:17:51 +0400
commit: aa77e946b5c9cdbc15d2e94b4632720027e0e8b7 (patch)
tree: a95aa55b3d21a6b6b0d7270a4aa9e3715c904588
parent: a69a6f8bc4775a1663d7a12de77fa6d1465ef4f9 (diff)
1 files changed, 1 insertions, 3 deletions
diff --git a/src/opus_decoder.c b/src/opus_decoder.c
index 0cc56f84..8a30fbce 100644
--- a/src/opus_decoder.c
+++ b/src/opus_decoder.c
@@ -595,16 +595,14 @@ static int opus_packet_parse_impl(const unsigned char *data, int len,
       /* Padding flag is bit 6 */
       if (ch&0x40)
       {
-         int padding=0;
          int p;
          do {
             if (len<=0)
                return OPUS_INVALID_PACKET;
             p = *data++;
             len--;
-            padding += p==255 ? 254: p;
+            len -= p==255 ? 254: p;
          } while (p==255);
-         len -= padding;
       }
       if (len<0)
          return OPUS_INVALID_PACKET;
author	Jean-Marc Valin <jmvalin@jmvalin.ca>	2012-12-01 02:36:36 +0400
committer	Jean-Marc Valin <jmvalin@jmvalin.ca>	2013-03-12 21:17:51 +0400
commit	aa77e946b5c9cdbc15d2e94b4632720027e0e8b7 (patch)
tree	a95aa55b3d21a6b6b0d7270a4aa9e3715c904588
parent	a69a6f8bc4775a1663d7a12de77fa6d1465ef4f9 (diff)