You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
58 lines
2.2 KiB
58 lines
2.2 KiB
From: Kurt Roeckx <kurt@roeckx.be> |
|
Date: Sun, 28 Jan 2018 15:44:08 +0100 |
|
Subject: Check the size of the main data |
|
|
|
The main data to decode a frame can come from the current frame and part of the |
|
previous frame, the so called bit reservoir. si.main_data_begin is the part of |
|
the previous frame we need for this frame. frame_space is the amount of main |
|
data that can be in this frame, and next_md_begin is the part of this frame that |
|
is going to be used for the next frame. |
|
|
|
The maximum amount of data from a previous frame that the format allows is 511 |
|
bytes. The maximum frame size for the defined bitrates is at MPEG 2.5 layer 2 |
|
at 320 kbit/s and 8 kHz sample rate which gives 72 * (320000 / 8000) + 1 = 2881. |
|
So those defines are not large enough: |
|
# define MAD_BUFFER_GUARD 8 |
|
# define MAD_BUFFER_MDLEN (511 + 2048 + MAD_BUFFER_GUARD) |
|
|
|
There is also support for a "free" bitrate which allows you to create any frame |
|
size, which can be larger than the buffer. |
|
|
|
Changing the defines is not an option since it's part of the ABI, so we check |
|
that the main data fits in the bufer. |
|
|
|
The previous frame data is stored in *stream->main_data and contains |
|
stream->md_len bytes. If stream->md_len is larger than the data we |
|
need from the previous frame (si.main_data_begin) it still wouldn't fit |
|
in the buffer, so just keep the data that we need. |
|
|
|
Index: libmad-0.15.1b/layer3.c |
|
=================================================================== |
|
--- libmad-0.15.1b.orig/layer3.c |
|
+++ libmad-0.15.1b/layer3.c |
|
@@ -2608,6 +2608,11 @@ int mad_layer_III(struct mad_stream *str |
|
next_md_begin = 0; |
|
|
|
md_len = si.main_data_begin + frame_space - next_md_begin; |
|
+ if (md_len + MAD_BUFFER_GUARD > MAD_BUFFER_MDLEN) { |
|
+ stream->error = MAD_ERROR_LOSTSYNC; |
|
+ stream->sync = 0; |
|
+ return -1; |
|
+ } |
|
|
|
frame_used = 0; |
|
|
|
@@ -2625,8 +2630,11 @@ int mad_layer_III(struct mad_stream *str |
|
} |
|
} |
|
else { |
|
- mad_bit_init(&ptr, |
|
- *stream->main_data + stream->md_len - si.main_data_begin); |
|
+ memmove(stream->main_data, |
|
+ *stream->main_data + stream->md_len - si.main_data_begin, |
|
+ si.main_data_begin); |
|
+ stream->md_len = si.main_data_begin; |
|
+ mad_bit_init(&ptr, *stream->main_data); |
|
|
|
if (md_len > si.main_data_begin) { |
|
assert(stream->md_len + md_len -
|
|
|