[opus] Integer overflow in opus_packet_parse_impl

Jean-Marc Valin jmvalin at jmvalin.ca
Fri Nov 30 23:30:05 PST 2012


On 12-11-30 06:29 PM, Ralph Giles wrote:
>> there is a chance for an integer overflow in opus_packet_parse_impl():
> 
> Thanks for the report! Sorry it got stuck in the mod queue for so long;
> we only check it periodically.
> 
> We've committed a simpler fix as
> http://git.xiph.org/?p=opus.git;a=commitdiff;h=9345aaa5ca1c2fb7d62981b2a538e0ce20612c38

Also, we've analyzed the bug and the worse possible behaviour we could
find was causing a *read* access up to around 60 kB past the end of the
compressed packet data. So the worse possible outcome would be to crash
the decoder, but this can only be achieved with a file that's at least
~16 MB, and even then only on a few decoders on which the memory after
the packet data isn't mapped.

	Jean-Marc


More information about the opus mailing list