[opus] Integer overflow in opus_packet_parse_impl
jmvalin at jmvalin.ca
Fri Nov 30 23:30:05 PST 2012
On 12-11-30 06:29 PM, Ralph Giles wrote:
>> there is a chance for an integer overflow in opus_packet_parse_impl():
> Thanks for the report! Sorry it got stuck in the mod queue for so long;
> we only check it periodically.
> We've committed a simpler fix as
Also, we've analyzed the bug and the worse possible behaviour we could
find was causing a *read* access up to around 60 kB past the end of the
compressed packet data. So the worse possible outcome would be to crash
the decoder, but this can only be achieved with a file that's at least
~16 MB, and even then only on a few decoders on which the memory after
the packet data isn't mapped.
More information about the opus