From: Edward Hervey <edward@centricular.com>
Date: Wed, 30 May 2018 08:56:12 +0000 (+0200)
Subject: ogg: Avoid undefined granule shift
X-Git-Tag: 1.19.3~511^2~1650
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=63e8900c4769ee02a489283cdf5506c8f24f6452;p=platform%2Fupstream%2Fgstreamer.git

ogg: Avoid undefined granule shift

A granule is a 64bit signed integer, shifting by 63 or more is
undefined and most likely an indication that the stream is
corrupted or invalid.

Detected by oss-fuzz
---

diff --git a/ext/ogg/gstoggstream.c b/ext/ogg/gstoggstream.c
index 25b880f..ff69cc3 100644
--- a/ext/ogg/gstoggstream.c
+++ b/ext/ogg/gstoggstream.c
@@ -434,6 +434,11 @@ setup_theora_mapper (GstOggStream * pad, ogg_packet * packet)
   /* 2 bits + 3 bits = 5 bits KFGSHIFT */
   pad->granuleshift = ((GST_READ_UINT8 (data + 40) & 0x03) << 3) +
       (GST_READ_UINT8 (data + 41) >> 5);
+  if (pad->granuleshift >= 63) {
+    /* Granuleshift can't be greater than the storage size of a granule */
+    GST_WARNING ("Invalid granuleshift (%u >= 63)", pad->granuleshift);
+    return FALSE;
+  }
   GST_LOG ("granshift: %d", pad->granuleshift);
 
   pad->is_video = TRUE;
@@ -1335,6 +1340,11 @@ gst_ogg_map_add_fisbone (GstOggStream * pad, GstOggStream * skel_pad,
   }
   if (pad->granuleshift == G_MAXUINT32) {
     pad->granuleshift = GST_READ_UINT8 (data + 28);
+    if (pad->granuleshift >= 63) {
+      /* Granuleshift can't be greater than the storage size of a granule */
+      GST_WARNING ("Invalid granuleshift (%u >= 63)", pad->granuleshift);
+      return FALSE;
+    }
   }
 
   start_granule = GST_READ_UINT64_LE (data + 16);
@@ -1838,6 +1848,11 @@ setup_cmml_mapper (GstOggStream * pad, ogg_packet * packet)
   pad->granulerate_n = GST_READ_UINT64_LE (data + 12);
   pad->granulerate_d = GST_READ_UINT64_LE (data + 20);
   pad->granuleshift = data[28];
+  if (pad->granuleshift >= 63) {
+    /* Granuleshift can't be greater than the storage size of a granule */
+    GST_WARNING ("Invalid granuleshift (%u >= 63)", pad->granuleshift);
+    return FALSE;
+  }
   GST_LOG ("sample rate: %d", pad->granulerate_n);
 
   pad->n_header_packets = 3;
@@ -1895,6 +1910,11 @@ setup_kate_mapper (GstOggStream * pad, ogg_packet * packet)
   pad->granulerate_n = GST_READ_UINT32_LE (data + 24);
   pad->granulerate_d = GST_READ_UINT32_LE (data + 28);
   pad->granuleshift = GST_READ_UINT8 (data + 15);
+  if (pad->granuleshift >= 63) {
+    /* Granuleshift can't be greater than the storage size of a granule */
+    GST_WARNING ("Invalid granuleshift (%u >= 63)", pad->granuleshift);
+    return FALSE;
+  }
   GST_LOG ("sample rate: %d", pad->granulerate_n);
 
   pad->n_header_packets = GST_READ_UINT8 (data + 11);
@@ -2155,6 +2175,11 @@ setup_daala_mapper (GstOggStream * pad, ogg_packet * packet)
       h);
 
   pad->granuleshift = GST_READ_UINT8 (data + 37);
+  if (pad->granuleshift >= 63) {
+    /* Granuleshift can't be greater than the storage size of a granule */
+    GST_WARNING ("Invalid granuleshift (%u >= 63)", pad->granuleshift);
+    return FALSE;
+  }
   GST_LOG ("granshift: %d", pad->granuleshift);
 
   pad->is_video = TRUE;