Skip to content

Commit

Permalink
aac: Avoid crash with corrupt files
Browse files Browse the repository at this point in the history 
NeAACDecInit() returns -1 in case of an error.
Subtracting -1 actually increases the buflen by 1,
resulting in a buffer overflow in memmove().

See also: https://github.com/orgs/audacious-media-player/discussions/109
  • Loading branch information
@radioactiveman @jlindgren90
radioactiveman authored and jlindgren90 committed Jan 31, 2024
1 parent e69b85e commit 5236ded
Showing 1 changed file with 15 additions and 2 deletions.
17 changes: 15 additions & 2 deletions src/aac/aac.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -319,7 +319,14 @@ static void aac_seek (VFSFile & file, NeAACDecHandle dec, int time, int len,
unsigned char chan;
unsigned long rate;

if ((used = NeAACDecInit (dec, (unsigned char *) buf, * buflen, & rate, & chan)))
if ((used = NeAACDecInit (dec, (unsigned char *) buf, * buflen, & rate, & chan)) < 0)
{
AUDERR ("Failed to initialize AAC decoder.\n");
* buflen = 0;
return;
}

if (used)
{
* buflen -= used;
memmove (buf, (char *) buf + used, * buflen);
Expand Down Expand Up @@ -388,7 +395,13 @@ bool AACDecoder::play (const char * filename, VFSFile & file)

/* == START DECODING == */

if ((used = NeAACDecInit (decoder, buf, buflen, & samplerate, & channels)))
if ((used = NeAACDecInit (decoder, buf, buflen, & samplerate, & channels)) < 0)
{
AUDERR ("Failed to initialize AAC decoder.\n");
goto ERR_CLOSE_DECODER;
}

if (used)
{
buflen -= used;
memmove (buf, buf + used, buflen);
Expand Down

0 comments on commit 5236ded

Please sign in to comment.