[vorbis-dev] Will Vorbis happily decode packets with random data?
Jack Moffitt
jack at xiph.org
Wed Aug 8 07:32:22 PDT 2001
> For my application there's been some talk of people hiding viruses in
> Vorbis files. While the possibility's remote, I'm exploring ways to
> verify that a give file really is a Vorbis file, and doesn't even have
> long streaches of executable code in the middle of it.
>
> If a file has valid Ogg page structure, and a valid Vorbis header, but
> somewhere in the file a packet has been replaced with arbitrary data
> (say Windows executable code), will the decoder notice this? For
> example, will it get into some invalid state which it notices, and
> return an error code? Or will it happily produce bogus output, unaware
> that there's a problem?
And how exactly is this a risk? Do you think the sound driver is going
to magically start executing code? Vorbis doesn't execute the sound, it
only does some math on it and sends it to the next part of the pipeline.
Also, since Vorbis treats everything as float and then casts to int
(normally) as a final step, I don't think any executable would survive
this format.
Certainly if it's a bad vorbis packet, the engine will kick it back.
It's designed to be tolerant of bad data, but it will let you know bad
data is there.
Unlike some other companies, we don't make libraries with full scripting
interfaces built in, along with operating systems that blinding trust
everything you download :)
jack.
--- >8 ----
List archives: http://www.xiph.org/archives/
Ogg project homepage: http://www.xiph.org/ogg/
To unsubscribe from this list, send a message to 'vorbis-dev-request at xiph.org'
containing only the word 'unsubscribe' in the body. No subject is needed.
Unsubscribe messages sent to the list will be ignored/filtered.
More information about the Vorbis-dev
mailing list