[Mplayer-advusers] AAC audio buffer overflow/crash

[Urpala Uoti]

In January, I sent a mail with this same subject about an audio
decoding bug. The bug still seems to exist in CVS. For a description
of the bug and what causes it see my earlier mail.

This patch makes the bug easier to see (you don't have to wait for
crashes from the memory corruption). It should trigger if you play a
file with 6-channel audio and codec A_AAC/MPEG4/LC/SBR using "-ao pcm"
(on my system "-ao alsa1x" triggers the bug and "-ao oss" doesn't - I
assume this is because of different output buffer sizes, haven't
checked). I haven't uploaded any sample files so far, but noticed a
mail from Attila Kinali on Feb 26 where he mentions uploading a file
with such audio (mail subject "libfaad segfault", filename
"zx.escaflowne.movie.part1.divx511.mkv").

===================================================================
RCS file: /cvsroot/mplayer/main/libmpcodecs/ad_faad.c,v
retrieving revision 1.11
diff -u -r1.11 ad_faad.c
--- libmpcodecs/ad_faad.c       21 Sep 2003 17:05:51 -0000      1.11
+++ libmpcodecs/ad_faad.c       18 Mar 2004 14:45:26 -0000
@@ -215,6 +215,10 @@
       /* XXX: samples already multiplied by channels! */
       mp_msg(MSGT_DECAUDIO,MSGL_DBG2,"FAAD: Successfully decoded
frame (%d Bytes)!\n",
       sh->samplesize*faac_finfo.samples);
+      if (len + sh->samplesize*faac_finfo.samples > maxlen) {
+         printf("Buffer overflow\n");
+         exit(1);
+      }
       memcpy(buf+len,faac_sample_buffer, sh->samplesize*faac_finfo.samples);
       len += sh->samplesize*faac_finfo.samples;