[xiph-cvs] cvs commit: speex/libspeex bits.c

Jean-Marc Valin jm at xiph.org
Thu Jan 9 08:30:00 PST 2003 


jm          03/01/09 11:30:00

  Modified:    libspeex bits.c
  Log:
  Fixed (I think) potential overflow in Speex Bits

Revision  Changes    Path
1.25      +45 -2     speex/libspeex/bits.c

Index: bits.c
===================================================================
RCS file: /usr/local/cvsroot/speex/libspeex/bits.c,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -r1.24 -r1.25
--- bits.c	8 Jan 2003 21:58:59 -0000	1.24
+++ bits.c	9 Jan 2003 16:30:00 -0000	1.25
@@ -135,7 +135,27 @@
 void speex_bits_read_whole_bytes(SpeexBits *bits, char *bytes, int len)
 {
    int i,pos;
-   /*FIXME: check for overflow*/
+
+   if ((bits->nbBits>>3)+len+1 > bits->buf_size)
+   {
+      speex_warning_int("Packet if larger than allocated buffer: ", len);
+      if (bits->owner)
+      {
+         char *tmp = speex_realloc(bits->bytes, (bits->nbBits>>3)+len+1);
+         if (tmp)
+         {
+            bits->buf_size=(bits->nbBits>>3)+len+1;
+            bits->bytes=tmp;
+         } else {
+            len=bits->buf_size-(bits->nbBits>>3)-1;
+            speex_warning("Could not resize input buffer: truncating input");
+         }
+      } else {
+         speex_warning("Do not own input buffer: truncating input");
+         len=bits->buf_size;
+      }
+   }
+
    speex_bits_flush(bits);
    pos=bits->nbBits>>3;
    for (i=0;i<len;i++)
@@ -175,8 +195,31 @@
 
 void speex_bits_pack(SpeexBits *bits, int data, int nbBits)
 {
+   int i;
    unsigned int d=data;
-   /*FIXME: check for overflow*/
+
+   if (bits->bytePtr+((nbBits+bits->bitPtr)>>3) >= bits->buf_size)
+   {
+      speex_warning("Buffer too small to pack bits");
+      if (bits->owner)
+      {
+         char *tmp = speex_realloc(bits->bytes, ((bits->buf_size+5)*3)>>1);
+         if (tmp)
+         {
+            for (i=bits->buf_size;i<(((bits->buf_size+5)*3)>>1);i++)
+               tmp[i]=0;
+            bits->buf_size=((bits->buf_size+5)*3)>>1;
+            bits->bytes=tmp;
+         } else {
+            speex_warning("Could not resize input buffer: not packing");
+            return;
+         }
+      } else {
+         speex_warning("Do not own input buffer: not packing");
+         return;
+      }
+   }
+
    while(nbBits)
    {
       int bit;

<p><p>--- >8 ----
List archives:  http://www.xiph.org/archives/
Ogg project homepage: http://www.xiph.org/ogg/
To unsubscribe from this list, send a message to 'cvs-request at xiph.org'
containing only the word 'unsubscribe' in the body.  No subject is needed.
Unsubscribe messages sent to the list will be ignored/filtered.

More information about the commits mailing list