aacparse: be more strict at ADTS header parsing

Adds two extra checks:

- Sampling frequency on header can't be 15.
- Frame size should be at least 9 or 7, depending
  on whether CRC protection is present.

https://bugzilla.gnome.org/show_bug.cgi?id=724638

diff --git a/gst/audioparsers/gstaacparse.c b/gst/audioparsers/gstaacparse.c
index 901d4f0..f693097 100644 (file)
--- a/gst/audioparsers/gstaacparse.c
+++ b/gst/audioparsers/gstaacparse.c
@@ -387,13 +387,22 @@ gst_aac_parse_check_adts_frame (GstAacParse * aacparse,
     const guint8 * data, const guint avail, gboolean drain,
     guint * framesize, guint * needed_data)
 {
+  guint crc_size;
+
   *needed_data = 0;
 
-  if (G_UNLIKELY (avail < 2))
+  /* Absolute minimum to perform the ADTS syncword,
+     layer and sampling frequency tests */
+  if (G_UNLIKELY (avail < 3))
     return FALSE;
 
+  /* Syncword and layer tests */
   if ((data[0] == 0xff) && ((data[1] & 0xf6) == 0xf0)) {
 
+    /* Sampling frequency test */
+    if (G_UNLIKELY ((data[2] & 0x3C) >> 2 == 15))
+      return FALSE;
+
     /* This looks like an ADTS frame header but
        we need at least 6 bytes to proceed */
     if (G_UNLIKELY (avail < 6)) {
@@ -403,6 +412,14 @@ gst_aac_parse_check_adts_frame (GstAacParse * aacparse,
 
     *framesize = gst_aac_parse_adts_get_frame_len (data);
 
+    /* If frame has CRC, it needs 2 bytes
+       for it at the end of the header */
+    crc_size = (data[1] & 0x01) ? 0 : 2;
+
+    /* CRC size test */
+    if (*framesize < 7 + crc_size)
+      return FALSE;
+
     /* In EOS mode this is enough. No need to examine the data further.
        We also relax the check when we have sync, on the assumption that
        if we're not looking at random data, we have a much higher chance