mod_fsv: Check audio/video frame size for possible buffer overflow and abort playback

Audio frame sizes were already being checked for overflow,
but video frame sizes were taken as-is, which would
lead to heap corruption.

In case an overflow has been detected, playback is aborted immediately as
there is no way we can ever recover from such a situation due to the lack
of a (well-known) frame header signature that could be used to skip over
the corrupted part of the streams.

Signed-off-by: Stefan Knoblich <stkn@openisdn.net>

diff --git a/src/mod/applications/mod_fsv/mod_fsv.c b/src/mod/applications/mod_fsv/mod_fsv.c
index 01160f6f7f12c35604cca8d95603fed6e63af6ee..8a7e27c09c0d0092c2912ab9de664e0de91310ff 100644 (file)
--- a/src/mod/applications/mod_fsv/mod_fsv.c
+++ b/src/mod/applications/mod_fsv/mod_fsv.c
@@ -403,6 +403,15 @@ SWITCH_STANDARD_APP(play_fsv_function)
                        switch_rtp_hdr_t *hdr = vid_frame.packet;
                        bytes &= ~VID_BIT;
 
+                       /*
+                        * Frame is larger than available buffer space. This error is non-recoverable due to the
+                        * structure of the .fsv format (no frame header signature to re-sync).
+                        */
+                       if (bytes > ((int) vid_frame.buflen + 12)) {
+                               switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_CRIT, "Corrupt .fsv video frame header is overflowing read buffer, aborting!\n");
+                               break;
+                       }
+
                        if ((vid_frame.packetlen = read(fd, vid_frame.packet, bytes)) != (uint32_t) bytes) {
                                break;
                        }
@@ -425,10 +434,15 @@ SWITCH_STANDARD_APP(play_fsv_function)
                        }
                        last = ts;
                } else {
+                       /*
+                        * Frame is larger than available buffer space. This error is non-recoverable due to the
+                        * structure of the .fsv format (no frame header signature to re-sync).
+                        */
                        if (bytes > (int) write_frame.buflen) {
-                               bytes = write_frame.buflen;
+                               switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_CRIT, "Corrupt .fsv audio frame header is overflowing read buffer, aborting!\n");
+                               break;
                        }
-                   
+
                        if ((write_frame.datalen = read(fd, write_frame.data, bytes)) <= 0) {
                                break;
                        }