Fixed potential segfault with corrupted streams (audio codecs).

diff --git a/modules/codec/a52.c b/modules/codec/a52.c
index f8d66bf301b9b09030cd5ada1f5a7314d9c5bc9e..8ba2d25fae2d5de060b1d803b9e37c252ef901e3 100644 (file)
--- a/modules/codec/a52.c
+++ b/modules/codec/a52.c
@@ -99,7 +99,7 @@ enum {
  ****************************************************************************/
 static void *DecodeBlock  ( decoder_t *, block_t ** );
 
-static uint8_t       *GetOutBuffer ( decoder_t *, void ** );
+static uint8_t       *GetOutBuffer ( decoder_t *, block_t ** );
 static aout_buffer_t *GetAoutBuffer( decoder_t * );
 static block_t       *GetSoutBuffer( decoder_t * );
 
@@ -180,7 +180,7 @@ static void *DecodeBlock( decoder_t *p_dec, block_t **pp_block )
     decoder_sys_t *p_sys = p_dec->p_sys;
     uint8_t p_header[VLC_A52_HEADER_SIZE];
     uint8_t *p_buf;
-    void *p_out_buffer;
+    block_t *p_out_buffer;
 
     if( !pp_block || !*pp_block ) return NULL;
 
@@ -310,7 +310,8 @@ static void *DecodeBlock( decoder_t *p_dec, block_t **pp_block )
 
             /* Copy the whole frame into the buffer. When we reach this point
              * we already know we have enough data available. */
-            block_GetBytes( &p_sys->bytestream, p_buf, p_sys->frame.i_size );
+            block_GetBytes( &p_sys->bytestream,
+                            p_buf, __MIN( p_sys->frame.i_size, p_out_buffer->i_buffer ) );
 
             /* Make sure we don't reuse the same pts twice */
             if( p_sys->i_pts == p_sys->bytestream.p_block->i_pts )
@@ -344,7 +345,7 @@ static void CloseCommon( vlc_object_t *p_this )
 /*****************************************************************************
  * GetOutBuffer:
  *****************************************************************************/
-static uint8_t *GetOutBuffer( decoder_t *p_dec, void **pp_out_buffer )
+static uint8_t *GetOutBuffer( decoder_t *p_dec, block_t **pp_out_buffer )
 {
     decoder_sys_t *p_sys = p_dec->p_sys;
     uint8_t *p_buf;

diff --git a/modules/codec/dts.c b/modules/codec/dts.c
index 22d1f9c6cb57ed2b8b44b1c3a5e36857341f3e46..a2325546e615528892799e5501ac789f0af8688d 100644 (file)
--- a/modules/codec/dts.c
+++ b/modules/codec/dts.c
@@ -109,7 +109,7 @@ static inline int SyncCode( const uint8_t * );
 static int  SyncInfo( const uint8_t *, bool *, unsigned int *, unsigned int *,
                       unsigned int *, unsigned int *, unsigned int * );
 
-static uint8_t       *GetOutBuffer ( decoder_t *, void ** );
+static uint8_t       *GetOutBuffer ( decoder_t *, block_t ** );
 static aout_buffer_t *GetAoutBuffer( decoder_t * );
 static block_t       *GetSoutBuffer( decoder_t * );
 
@@ -179,7 +179,7 @@ static void *DecodeBlock( decoder_t *p_dec, block_t **pp_block )
     decoder_sys_t *p_sys = p_dec->p_sys;
     uint8_t p_header[DTS_HEADER_SIZE];
     uint8_t *p_buf;
-    void *p_out_buffer;
+    block_t *p_out_buffer;
 
     if( !pp_block || !*pp_block )
         return NULL;
@@ -327,7 +327,8 @@ static void *DecodeBlock( decoder_t *p_dec, block_t **pp_block )
 
             /* Copy the whole frame into the buffer. When we reach this point
              * we already know we have enough data available. */
-            block_GetBytes( &p_sys->bytestream, p_buf, p_sys->i_frame_size );
+            block_GetBytes( &p_sys->bytestream,
+                            p_buf, __MIN( p_sys->i_frame_size, p_out_buffer->i_buffer ) );
 
             /* Make sure we don't reuse the same pts twice */
             if( p_sys->i_pts == p_sys->bytestream.p_block->i_pts )
@@ -361,7 +362,7 @@ static void CloseCommon( vlc_object_t *p_this )
 /*****************************************************************************
  * GetOutBuffer:
  *****************************************************************************/
-static uint8_t *GetOutBuffer( decoder_t *p_dec, void **pp_out_buffer )
+static uint8_t *GetOutBuffer( decoder_t *p_dec, block_t **pp_out_buffer )
 {
     decoder_sys_t *p_sys = p_dec->p_sys;
     uint8_t *p_buf;

diff --git a/modules/codec/mpeg_audio.c b/modules/codec/mpeg_audio.c
index 8d17e842d42aafdfa6a0babf0bb4cac05c310b45..4267f0916922a214c3cbbb2fb3e9e67dc1928e58 100644 (file)
--- a/modules/codec/mpeg_audio.c
+++ b/modules/codec/mpeg_audio.c
@@ -35,6 +35,7 @@
 #include <vlc_plugin.h>
 #include <vlc_codec.h>
 #include <vlc_aout.h>
+#include <assert.h>
 
 #include <vlc_block_helper.h>
 
@@ -95,7 +96,7 @@ static int  OpenPacketizer( vlc_object_t * );
 static void CloseDecoder  ( vlc_object_t * );
 static void *DecodeBlock  ( decoder_t *, block_t ** );
 
-static uint8_t       *GetOutBuffer ( decoder_t *, void ** );
+static uint8_t       *GetOutBuffer ( decoder_t *, block_t ** );
 static aout_buffer_t *GetAoutBuffer( decoder_t * );
 static block_t       *GetSoutBuffer( decoder_t * );
 
@@ -200,7 +201,7 @@ static void *DecodeBlock( decoder_t *p_dec, block_t **pp_block )
     uint8_t p_header[MAD_BUFFER_GUARD];
     uint32_t i_header;
     uint8_t *p_buf;
-    void *p_out_buffer;
+    block_t *p_out_buffer;
 
     if( !pp_block || !*pp_block ) return NULL;
 
@@ -460,11 +461,13 @@ static void *DecodeBlock( decoder_t *p_dec, block_t **pp_block )
 
             /* Copy the whole frame into the buffer. When we reach this point
              * we already know we have enough data available. */
-            block_GetBytes( &p_sys->bytestream, p_buf, p_sys->i_frame_size );
+            block_GetBytes( &p_sys->bytestream,
+                            p_buf, __MIN( (unsigned)p_sys->i_frame_size, p_out_buffer->i_buffer ) );
 
             /* Get beginning of next frame for libmad */
             if( !p_sys->b_packetizer )
             {
+                assert( p_out_buffer->i_buffer >= (unsigned)p_sys->i_frame_size + MAD_BUFFER_GUARD );
                 memcpy( p_buf + p_sys->i_frame_size,
                         p_header, MAD_BUFFER_GUARD );
             }
@@ -488,7 +491,7 @@ static void *DecodeBlock( decoder_t *p_dec, block_t **pp_block )
 /*****************************************************************************
  * GetOutBuffer:
  *****************************************************************************/
-static uint8_t *GetOutBuffer( decoder_t *p_dec, void **pp_out_buffer )
+static uint8_t *GetOutBuffer( decoder_t *p_dec, block_t **pp_out_buffer )
 {
     decoder_sys_t *p_sys = p_dec->p_sys;
     uint8_t *p_buf;
@@ -549,7 +552,7 @@ static aout_buffer_t *GetAoutBuffer( decoder_t *p_dec )
     p_sys->b_discontinuity = false;
 
     /* Hack for libmad filter */
-    p_buf->i_buffer = p_sys->i_frame_size + MAD_BUFFER_GUARD;
+    p_buf = block_Realloc( p_buf, 0, p_sys->i_frame_size + MAD_BUFFER_GUARD );
 
     return p_buf;
 }