search for: cur_packet_gp

Just an attempt to avoid overflows with an explicit check, I don't know if there's a better way to identify corrupt input here. James Zern (2): op_pcm_seek: fix int64 overflow op_fetch_and_process_page: fix int64 overflow src/opusfile.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) -- 2.15.0.448.gf294e3d99a-goog

On Tue, Nov 28, 2017 at 3:22 PM, James Zern <jzern at google.com> wrote: > On Mon, Nov 20, 2017 at 1:07 PM, James Zern <jzern at google.com> wrote: >> Just an attempt to avoid overflows with an explicit check, I don't know if >> there's a better way to identify corrupt input here. >> >> James Zern (2): >> op_pcm_seek: fix int64 overflow

...nged, 4 insertions(+), 1 deletion(-) diff --git a/src/opusfile.c b/src/opusfile.c index df326af..2bef277 100644 --- a/src/opusfile.c +++ b/src/opusfile.c @@ -2078,7 +2078,10 @@ static int op_fetch_and_process_page(OggOpusFile *_of, &&OP_LIKELY(diff<total_duration)){ cur_packet_gp=prev_packet_gp; for(pi=0;pi<op_count;pi++){ - diff=durations[pi]-diff; + /*Check for overflow.*/ + if(diff<0&&OP_UNLIKELY(OP_INT64_MAX+diff<durations[pi])){ + diff=0; + } else diff=durations[pi]-diff;...

...(because _pcm_offset == (target_gp - pcm_start) and diff == (gp - > pcm_start). > This works. > [...] > >> @@ -2078,7 +2078,10 @@ static int op_fetch_and_process_page(OggOpusFile >> *_of, >> &&OP_LIKELY(diff<total_duration)){ >> cur_packet_gp=prev_packet_gp; >> for(pi=0;pi<op_count;pi++){ >> - diff=durations[pi]-diff; >> + /*Check for overflow.*/ >> + if(diff<0&&OP_UNLIKELY(OP_INT64_MAX+diff<durations[pi])){ >> + diff=0; >> +...

...tamps like this, but at least if we try a full seek and fail we'll report an error in most cases instead of pretending we succeeded. > @@ -2078,7 +2078,10 @@ static int op_fetch_and_process_page(OggOpusFile *_of, > &&OP_LIKELY(diff<total_duration)){ > cur_packet_gp=prev_packet_gp; > for(pi=0;pi<op_count;pi++){ > - diff=durations[pi]-diff; > + /*Check for overflow.*/ > + if(diff<0&&OP_UNLIKELY(OP_INT64_MAX+diff<durations[pi])){ > + diff=0; > + } else diff=dur...