libavcodec/flac_parser: Validate subframe zero bit and type

Reduces the risk of finding false frames that happens to have valid values and CRC. Fixes ticket #9185 ffmpeg flac decoder incorrectly finds junk frame https://trac.ffmpeg.org/ticket/9185
2025-02-22 14:57:05 +00:00 · 2021-10-13 18:15:26 +02:00 · 2021-10-13 18:15:26 +02:00 · 49597300e8
commit 49597300e8
parent 374d646930
1 changed files with 28 additions and 2 deletions
--- a/libavcodec/flac_parser.c
+++ b/libavcodec/flac_parser.c
@ -96,8 +96,34 @@ static int frame_header_is_valid(AVCodecContext *avctx, const uint8_t *buf,
                                 FLACFrameInfo *fi)
 {
    GetBitContext gb;
-    init_get_bits(&gb, buf, MAX_FRAME_HEADER_SIZE * 8);
-    return !ff_flac_decode_frame_header(avctx, &gb, fi, 127);
+    uint8_t subframe_type;
+
+    // header plus one byte from first subframe
+    init_get_bits(&gb, buf, MAX_FRAME_HEADER_SIZE * 8 + 8);
+    if (ff_flac_decode_frame_header(avctx, &gb, fi, 127)) {
+        return 0;
+    }
+    // subframe zero bit
+    if (get_bits1(&gb) != 0) {
+        return 0;
+    }
+    // subframe type
+    // 000000 : SUBFRAME_CONSTANT
+    // 000001 : SUBFRAME_VERBATIM
+    // 00001x : reserved
+    // 0001xx : reserved
+    // 001xxx : if(xxx <= 4) SUBFRAME_FIXED, xxx=order ; else reserved
+    // 01xxxx : reserved
+    // 1xxxxx : SUBFRAME_LPC, xxxxx=order-1
+    subframe_type = get_bits(&gb, 6);
+    if (!(subframe_type == 0 ||
+          subframe_type == 1 ||
+          ((subframe_type >= 8) && (subframe_type <= 12)) ||
+          (subframe_type >= 32))) {
+        return 0;
+    }
+
+    return 1;
 }

 /**