MKAudioOutputSpeech: fix handling of malformed Opus packets.

This commit fixes two issues with the handling of malformed Opus packets. 1. A malformed Opus packet could trigger a NULL pointer dereference. 2. A malformed Opus packet could trigger a heap-based buffer overflow.
mumble-voip · Jan 28, 2014 · fd19032 · fd19032
1 parent 39b28a0
commit fd19032
Showing 1 changed file with 17 additions and 4 deletions.
diff --git a/src/MKAudioOutputSpeech.m b/src/MKAudioOutputSpeech.m
@@ -201,6 +201,11 @@ - (void) addFrame:(NSData *)data forSequence:(NSUInteger)seq {
         NSUInteger size = (header & ((1 << 13) - 1));
         if (size > 0) {
             NSData *opusFrames = [pds copyDataBlock:size];
+            if ([opusFrames length] != size || ![pds valid]) {
+                [pds release];
+                [_jitterLock unlock];
+                return;
+            }
             int nframes = opus_packet_get_nb_frames([opusFrames bytes], size);
             samples = nframes * opus_packet_get_samples_per_frame([opusFrames bytes], SAMPLE_RATE);
             [opusFrames release];
@@ -308,17 +313,21 @@ - (BOOL) needSamples:(NSUInteger)nsamples {
                         _hasTerminator = header & (1 << 13);
                         if (size > 0) {
                             NSData *block = [pds copyDataBlock:size];
-                            [_frames addObject:block];
-                            [block release];
+                            if (block != nil) {
+                                [_frames addObject:block];
+                                [block release];
+                            }
                         }
                     } else {
                         unsigned int header = 0;
                         do {
                             header = (unsigned int)[pds next];
                             if (header) {
                                 NSData *block = [pds copyDataBlock:(header & 0x7f)];
-                                [_frames addObject:block];
-                                [block release];
+                                if (block != nil) {
+                                    [_frames addObject:block];
+                                    [block release];
+                                }
                             } else {
                                 _hasTerminator = YES;
                             }
@@ -360,6 +369,10 @@ - (BOOL) needSamples:(NSUInteger)nsamples {
 
                 if (_msgType == UDPVoiceOpusMessage) {
                     decodedSamples = opus_decode_float(_opusDecoder, [frameData bytes], [frameData length], output, _audioBufferSize, 0);
+                    if (decodedSamples < 0) {
+                        decodedSamples = _frameSize;
+                        memset(output, 0, _frameSize * sizeof(float));
+                    }
                 } else if (_msgType == UDPVoiceSpeexMessage) {
                     if ([frameData length] == 0) {
                         speex_decode(_speexDecoder, NULL, output);