[Mplayer-cvslog] CVS: main/libac3 decode.c,1.6,1.7 parse.c,1.1.1.1,1.2 parse.h,1.1.1.1,1.2

Sat Jul 14 18:33:13 CEST 2001

Update of /cvsroot/mplayer/main/libac3
In directory mplayer:/var/tmp.root/cvs-serv8024

Modified Files:
	decode.c parse.c parse.h 
Log Message:
Don't crash in libac3, when we decode an ac3 stream with a frame size code
> 38.  Print an error message and continue without audio instead.

For such a problematic ac3 stream, syncinfo->frame_size was initialized to 0,
and the loop in decode_buffer_syncframe tried to store 2**32-2 bytes for the
next frame data into a 4K buffer, which crashes mplayer.


Index: decode.c
===================================================================
RCS file: /cvsroot/mplayer/main/libac3/decode.c,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7

--- decode.c	20 Jun 2001 07:53:55 -0000	1.6
+++ decode.c	14 Jul 2001 16:33:11 -0000	1.7
@@ -28,6 +28,7 @@
 
 #include <stdlib.h>
 #include <stdio.h>
+#include <assert.h>
 #include <errno.h>
 #include <string.h>
 #include <sys/time.h>
@@ -112,8 +113,14 @@
 		buffer[buffer_size++] = *buffpos_cur++;
 	}
 	
-	parse_syncinfo(syncinfo,buffer);
+	if (!parse_syncinfo(syncinfo,buffer)) {
+		error_flag = 1;
+		fprintf(stderr,"** Cannot parse syncinfo - skipping frame **\n");
+		return 0;
+	}
 //	stats_print_syncinfo(syncinfo);
+
+	assert(syncinfo->frame_size > 0 && syncinfo->frame_size * 2 - 2 <= sizeof(buffer));
 
 	while (buffer_size < syncinfo->frame_size * 2 - 2) {
 		if(buffpos_cur >= buffpos_end)

Index: parse.c
===================================================================
RCS file: /cvsroot/mplayer/main/libac3/parse.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- parse.c	24 Feb 2001 20:29:39 -0000	1.1.1.1
+++ parse.c	14 Jul 2001 16:33:11 -0000	1.2
@@ -43,7 +43,7 @@
 	uint16_t frm_size[3];
 };
 
-static const struct frmsize_s frmsizecod_tbl[64] = 
+static const struct frmsize_s frmsizecod_tbl[] = 
 {
 	{ 32  ,{64   ,69   ,96   } },
 	{ 32  ,{64   ,70   ,96   } },
@@ -84,9 +84,10 @@
 	{ 640 ,{1280 ,1393 ,1920 } },
 	{ 640 ,{1280 ,1394 ,1920 } }
 };
+#define	FRMSIZECOD_TBL_SIZE	(sizeof(frmsizecod_tbl)/sizeof(frmsizecod_tbl[0]))
 
 /* Parse a syncinfo structure, minus the sync word */
-void parse_syncinfo(syncinfo_t *syncinfo, uint8_t *data)
+int parse_syncinfo(syncinfo_t *syncinfo, uint8_t *data)
 {
 	//
 	// We need to read in the entire syncinfo struct (0x0b77 + 24 bits)
@@ -99,7 +100,7 @@
 	if(syncinfo->fscod == 3) {
 		//invalid sampling rate code
 		error_flag = 1;	
-		return;
+		return 0;
 	}
 	else if(syncinfo->fscod == 2)
 		syncinfo->sampling_rate = 32000;
@@ -110,12 +111,17 @@
 
 	// Get the frame size code 
 	syncinfo->frmsizecod = data[2] & 0x3f;
+	if (syncinfo->frmsizecod >= FRMSIZECOD_TBL_SIZE) {
+	    	//invalid frame size code 
+	    	error_flag = 1;
+		return 0;
+	}
 
 	// Calculate the frame size and bitrate
 	syncinfo->frame_size = 
 		frmsizecod_tbl[syncinfo->frmsizecod].frm_size[syncinfo->fscod];
 	syncinfo->bit_rate = frmsizecod_tbl[syncinfo->frmsizecod].bit_rate;
-
+	return 1;
 }
 
 

Index: parse.h
===================================================================
RCS file: /cvsroot/mplayer/main/libac3/parse.h,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- parse.h	24 Feb 2001 20:29:39 -0000	1.1.1.1
+++ parse.h	14 Jul 2001 16:33:11 -0000	1.2
@@ -21,6 +21,6 @@
  *
  */
 
-void parse_syncinfo(syncinfo_t *syncinfo,uint8_t *data);
+int parse_syncinfo(syncinfo_t *syncinfo,uint8_t *data);
 void parse_audblk(bsi_t *bsi,audblk_t *audblk);
 void parse_bsi(bsi_t *bsi);


