ALAC : Collection of validation and bounds checking fixes.

* Validate channel count returned when decoder is initialized. * Validate frames_per_packet. * Bounds check numSamples read from bitstream. * Increase ALAC_BYTE_BUFFER_SIZE. * Integer sanitizer fixes.
libsndfile · Feb 8, 2015 · fdd7a0a · fdd7a0a
1 parent d2a8738
commit fdd7a0a
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 5 deletions.
diff --git a/src/ALAC/alac_decoder.c b/src/ALAC/alac_decoder.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (c) 2011 Apple Inc. All rights reserved.
- * Copyright (C) 2012-2014 Erik de Castro Lopo <erikd@mega-nerd.com>
+ * Copyright (C) 2012-2015 Erik de Castro Lopo <erikd@mega-nerd.com>
  *
  * @APPLE_APACHE_LICENSE_HEADER_START@
  *
@@ -216,6 +216,8 @@ alac_decode (ALAC_DECODER *p, struct BitBuffer * bits, int32_t * sampleBuffer, u
 				{
 					numSamples = BitBufferRead (bits, 16) << 16 ;
 					numSamples |= BitBufferRead (bits, 16) ;
+
+					RequireAction (numSamples < kALACDefaultFramesPerPacket, return kALAC_ParamError ;) ;
 				}
 
 				if (escapeFlag == 0)
@@ -367,6 +369,8 @@ alac_decode (ALAC_DECODER *p, struct BitBuffer * bits, int32_t * sampleBuffer, u
 				{
 					numSamples = BitBufferRead (bits, 16) << 16 ;
 					numSamples |= BitBufferRead (bits, 16) ;
+
+					RequireAction (numSamples < kALACDefaultFramesPerPacket, return kALAC_ParamError ;) ;
 				}
 
 				if (escapeFlag == 0)
@@ -461,11 +465,11 @@ alac_decode (ALAC_DECODER *p, struct BitBuffer * bits, int32_t * sampleBuffer, u
 						for (i = 0 ; i < numSamples ; i++)
 						{
 							val = (int32_t) BitBufferRead (bits, 16) ;
-							val = (val << 16) >> shift ;
+							val = (((uint32_t) val) << 16) >> shift ;
 							p->mMixBufferU [i] = val | BitBufferRead (bits, (uint8_t) extraBits) ;
 
 							val = (int32_t) BitBufferRead (bits, 16) ;
-							val = (val << 16) >> shift ;
+							val = ((uint32_t) val) >> shift ;
 							p->mMixBufferV [i] = val | BitBufferRead (bits, (uint8_t) extraBits) ;
 						}
 					}

diff --git a/src/alac.c b/src/alac.c
@@ -1,5 +1,5 @@
 /*
-** Copyright (C) 2011-2014 Erik de Castro Lopo <erikd@mega-nerd.com>
+** Copyright (C) 2011-2015 Erik de Castro Lopo <erikd@mega-nerd.com>
 **
 ** This program is free software; you can redistribute it and/or modify
 ** it under the terms of the GNU Lesser General Public License as published by
@@ -31,7 +31,7 @@
 #include	"ALAC/ALACBitUtilities.h"
 
 #define		ALAC_MAX_FRAME_SIZE		8192
-#define		ALAC_BYTE_BUFFER_SIZE	82000
+#define		ALAC_BYTE_BUFFER_SIZE	0x20000
 
 
 typedef struct
@@ -240,6 +240,11 @@ alac_reader_init (SF_PRIVATE *psf, const ALAC_DECODER_INFO * info)
 		return SFE_INTERNAL ;
 		} ;
 
+	if (info->frames_per_packet > ALAC_MAX_FRAME_SIZE)
+	{	psf_log_printf (psf, "*** Error : frames_per_packet (%u) is too big. ***\n", info->frames_per_packet) ;
+		return SFE_INTERNAL ;
+		} ;
+
 	plac = psf->codec_data ;
 
 	plac->channels			= psf->sf.channels ;
@@ -261,6 +266,11 @@ alac_reader_init (SF_PRIVATE *psf, const ALAC_DECODER_INFO * info)
 
 	alac_decoder_init (&plac->decoder, u.kuki, kuki_size) ;
 
+	if (plac->decoder.mNumChannels != (unsigned) psf->sf.channels)
+	{	psf_log_printf (psf, "*** Initialized decoder has %u channels, but it should be %d. ***\n", plac->decoder.mNumChannels, psf->sf.channels) ;
+		return SFE_INTERNAL ;
+		} ;
+
 	switch (info->bits_per_sample)
 	{	case 16 :
 		case 20 :