From d311b4380ea2f61896ca281f4c0b1eda216c9299 Mon Sep 17 00:00:00 2001 From: Stefan Knoblich Date: Mon, 21 Jan 2013 23:18:16 +0100 Subject: [PATCH] mod_fsv: Check audio/video frame size for possible buffer overflow and abort playback Audio frame sizes were already being checked for overflow, but video frame sizes were taken as-is, which would lead to heap corruption. In case an overflow has been detected, playback is aborted immediately as there is no way we can ever recover from such a situation due to the lack of a (well-known) frame header signature that could be used to skip over the corrupted part of the streams. Signed-off-by: Stefan Knoblich --- src/mod/applications/mod_fsv/mod_fsv.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/src/mod/applications/mod_fsv/mod_fsv.c b/src/mod/applications/mod_fsv/mod_fsv.c index 01160f6f7f..8a7e27c09c 100644 --- a/src/mod/applications/mod_fsv/mod_fsv.c +++ b/src/mod/applications/mod_fsv/mod_fsv.c @@ -403,6 +403,15 @@ SWITCH_STANDARD_APP(play_fsv_function) switch_rtp_hdr_t *hdr = vid_frame.packet; bytes &= ~VID_BIT; + /* + * Frame is larger than available buffer space. This error is non-recoverable due to the + * structure of the .fsv format (no frame header signature to re-sync). + */ + if (bytes > ((int) vid_frame.buflen + 12)) { + switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_CRIT, "Corrupt .fsv video frame header is overflowing read buffer, aborting!\n"); + break; + } + if ((vid_frame.packetlen = read(fd, vid_frame.packet, bytes)) != (uint32_t) bytes) { break; } @@ -425,10 +434,15 @@ SWITCH_STANDARD_APP(play_fsv_function) } last = ts; } else { + /* + * Frame is larger than available buffer space. This error is non-recoverable due to the + * structure of the .fsv format (no frame header signature to re-sync). + */ if (bytes > (int) write_frame.buflen) { - bytes = write_frame.buflen; + switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_CRIT, "Corrupt .fsv audio frame header is overflowing read buffer, aborting!\n"); + break; } - + if ((write_frame.datalen = read(fd, write_frame.data, bytes)) <= 0) { break; }