flac packetizer: validate frames with their CRC

Fix #9442

flac packetizer: validate frames with their CRC
Fix #9442
f4f66b0f · Rafaël Carré · 4ccc2f79 · f4f66b0f
Commit f4f66b0f authored Nov 16, 2013 by Rafaël Carré
Hide whitespace changes
Inline Side-by-side

Showing with 124 additions and 2 deletions

modules/packetizer/flac.c modules/packetizer/flac.c +124 -2

No files found.
--- a/modules/packetizer/flac.c
+++ b/modules/packetizer/flac.c
@@ -87,6 +87,7 @@ struct decoder_sys_t

    int i_frame_length;
    size_t i_frame_size;
+    uint16_t crc;
    unsigned int i_rate, i_channels, i_bits_per_sample;
 };

@@ -242,6 +243,93 @@ static uint8_t flac_crc8(const uint8_t *data, unsigned len)
    return crc;
 }

+/* CRC-16, poly = x^16 + x^15 + x^2 + x^0, init = 0 */
+static const uint16_t flac_crc16_table[256] = {
+    0x0000,  0x8005,  0x800f,  0x000a,  0x801b,  0x001e,  0x0014,  0x8011,
+    0x8033,  0x0036,  0x003c,  0x8039,  0x0028,  0x802d,  0x8027,  0x0022,
+    0x8063,  0x0066,  0x006c,  0x8069,  0x0078,  0x807d,  0x8077,  0x0072,
+    0x0050,  0x8055,  0x805f,  0x005a,  0x804b,  0x004e,  0x0044,  0x8041,
+    0x80c3,  0x00c6,  0x00cc,  0x80c9,  0x00d8,  0x80dd,  0x80d7,  0x00d2,
+    0x00f0,  0x80f5,  0x80ff,  0x00fa,  0x80eb,  0x00ee,  0x00e4,  0x80e1,
+    0x00a0,  0x80a5,  0x80af,  0x00aa,  0x80bb,  0x00be,  0x00b4,  0x80b1,
+    0x8093,  0x0096,  0x009c,  0x8099,  0x0088,  0x808d,  0x8087,  0x0082,
+    0x8183,  0x0186,  0x018c,  0x8189,  0x0198,  0x819d,  0x8197,  0x0192,
+    0x01b0,  0x81b5,  0x81bf,  0x01ba,  0x81ab,  0x01ae,  0x01a4,  0x81a1,
+    0x01e0,  0x81e5,  0x81ef,  0x01ea,  0x81fb,  0x01fe,  0x01f4,  0x81f1,
+    0x81d3,  0x01d6,  0x01dc,  0x81d9,  0x01c8,  0x81cd,  0x81c7,  0x01c2,
+    0x0140,  0x8145,  0x814f,  0x014a,  0x815b,  0x015e,  0x0154,  0x8151,
+    0x8173,  0x0176,  0x017c,  0x8179,  0x0168,  0x816d,  0x8167,  0x0162,
+    0x8123,  0x0126,  0x012c,  0x8129,  0x0138,  0x813d,  0x8137,  0x0132,
+    0x0110,  0x8115,  0x811f,  0x011a,  0x810b,  0x010e,  0x0104,  0x8101,
+    0x8303,  0x0306,  0x030c,  0x8309,  0x0318,  0x831d,  0x8317,  0x0312,
+    0x0330,  0x8335,  0x833f,  0x033a,  0x832b,  0x032e,  0x0324,  0x8321,
+    0x0360,  0x8365,  0x836f,  0x036a,  0x837b,  0x037e,  0x0374,  0x8371,
+    0x8353,  0x0356,  0x035c,  0x8359,  0x0348,  0x834d,  0x8347,  0x0342,
+    0x03c0,  0x83c5,  0x83cf,  0x03ca,  0x83db,  0x03de,  0x03d4,  0x83d1,
+    0x83f3,  0x03f6,  0x03fc,  0x83f9,  0x03e8,  0x83ed,  0x83e7,  0x03e2,
+    0x83a3,  0x03a6,  0x03ac,  0x83a9,  0x03b8,  0x83bd,  0x83b7,  0x03b2,
+    0x0390,  0x8395,  0x839f,  0x039a,  0x838b,  0x038e,  0x0384,  0x8381,
+    0x0280,  0x8285,  0x828f,  0x028a,  0x829b,  0x029e,  0x0294,  0x8291,
+    0x82b3,  0x02b6,  0x02bc,  0x82b9,  0x02a8,  0x82ad,  0x82a7,  0x02a2,
+    0x82e3,  0x02e6,  0x02ec,  0x82e9,  0x02f8,  0x82fd,  0x82f7,  0x02f2,
+    0x02d0,  0x82d5,  0x82df,  0x02da,  0x82cb,  0x02ce,  0x02c4,  0x82c1,
+    0x8243,  0x0246,  0x024c,  0x8249,  0x0258,  0x825d,  0x8257,  0x0252,
+    0x0270,  0x8275,  0x827f,  0x027a,  0x826b,  0x026e,  0x0264,  0x8261,
+    0x0220,  0x8225,  0x822f,  0x022a,  0x823b,  0x023e,  0x0234,  0x8231,
+    0x8213,  0x0216,  0x021c,  0x8219,  0x0208,  0x820d,  0x8207,  0x0202
+};
+
+static uint16_t flac_crc16(uint16_t crc, uint8_t byte)
+{
+    return (crc << 8) ^ flac_crc16_table[(crc >> 8) ^ byte];
+}
+
+/* Gives the previous CRC value, before hashing last_byte through it */
+static uint16_t flac_crc16_undo(uint16_t crc, const uint8_t last_byte)
+{
+    /*
+     * Given a byte b, gives a position X in flac_crc16_table, such as:
+     *      flac_crc16_rev_table[flac_crc16_table[X] & 0xff] == X
+     * This works because flac_crc16_table[i] & 0xff yields 256 unique values.
+     */
+    static const uint8_t flac_crc16_rev_table[256] = {
+        0x00, 0x7f, 0xff, 0x80, 0x7e, 0x01, 0x81, 0xfe,
+        0xfc, 0x83, 0x03, 0x7c, 0x82, 0xfd, 0x7d, 0x02,
+        0x78, 0x07, 0x87, 0xf8, 0x06, 0x79, 0xf9, 0x86,
+        0x84, 0xfb, 0x7b, 0x04, 0xfa, 0x85, 0x05, 0x7a,
+        0xf0, 0x8f, 0x0f, 0x70, 0x8e, 0xf1, 0x71, 0x0e,
+        0x0c, 0x73, 0xf3, 0x8c, 0x72, 0x0d, 0x8d, 0xf2,
+        0x88, 0xf7, 0x77, 0x08, 0xf6, 0x89, 0x09, 0x76,
+        0x74, 0x0b, 0x8b, 0xf4, 0x0a, 0x75, 0xf5, 0x8a,
+        0x60, 0x1f, 0x9f, 0xe0, 0x1e, 0x61, 0xe1, 0x9e,
+        0x9c, 0xe3, 0x63, 0x1c, 0xe2, 0x9d, 0x1d, 0x62,
+        0x18, 0x67, 0xe7, 0x98, 0x66, 0x19, 0x99, 0xe6,
+        0xe4, 0x9b, 0x1b, 0x64, 0x9a, 0xe5, 0x65, 0x1a,
+        0x90, 0xef, 0x6f, 0x10, 0xee, 0x91, 0x11, 0x6e,
+        0x6c, 0x13, 0x93, 0xec, 0x12, 0x6d, 0xed, 0x92,
+        0xe8, 0x97, 0x17, 0x68, 0x96, 0xe9, 0x69, 0x16,
+        0x14, 0x6b, 0xeb, 0x94, 0x6a, 0x15, 0x95, 0xea,
+        0xc0, 0xbf, 0x3f, 0x40, 0xbe, 0xc1, 0x41, 0x3e,
+        0x3c, 0x43, 0xc3, 0xbc, 0x42, 0x3d, 0xbd, 0xc2,
+        0xb8, 0xc7, 0x47, 0x38, 0xc6, 0xb9, 0x39, 0x46,
+        0x44, 0x3b, 0xbb, 0xc4, 0x3a, 0x45, 0xc5, 0xba,
+        0x30, 0x4f, 0xcf, 0xb0, 0x4e, 0x31, 0xb1, 0xce,
+        0xcc, 0xb3, 0x33, 0x4c, 0xb2, 0xcd, 0x4d, 0x32,
+        0x48, 0x37, 0xb7, 0xc8, 0x36, 0x49, 0xc9, 0xb6,
+        0xb4, 0xcb, 0x4b, 0x34, 0xca, 0xb5, 0x35, 0x4a,
+        0xa0, 0xdf, 0x5f, 0x20, 0xde, 0xa1, 0x21, 0x5e,
+        0x5c, 0x23, 0xa3, 0xdc, 0x22, 0x5d, 0xdd, 0xa2,
+        0xd8, 0xa7, 0x27, 0x58, 0xa6, 0xd9, 0x59, 0x26,
+        0x24, 0x5b, 0xdb, 0xa4, 0x5a, 0x25, 0xa5, 0xda,
+        0x50, 0x2f, 0xaf, 0xd0, 0x2e, 0x51, 0xd1, 0xae,
+        0xac, 0xd3, 0x53, 0x2c, 0xd2, 0xad, 0x2d, 0x52,
+        0x28, 0x57, 0xd7, 0xa8, 0x56, 0x29, 0xa9, 0xd6,
+        0xd4, 0xab, 0x2b, 0x54, 0xaa, 0xd5, 0x55, 0x2a,
+    };
+    uint8_t idx = flac_crc16_rev_table[crc & 0xff];
+    return ((idx ^ last_byte) << 8) | ((crc ^ flac_crc16_table[idx]) >> 8);
+}
+
 /*****************************************************************************
 * SyncInfo: parse FLAC sync info
 *****************************************************************************/
@@ -484,6 +572,23 @@ static block_t *Packetize(decoder_t *p_dec, block_t **pp_block)
        p_sys->i_frame_size = p_sys->b_stream_info && p_sys->stream_info.min_framesize > 0 ?
                                                        p_sys->stream_info.min_framesize : 1;

+        /* Calculate the initial CRC for the minimal frame size,
+         * We'll update it as we look for the next start code. */
+        uint8_t *buf = malloc(p_sys->i_frame_size);
+        if (!buf)
+            return NULL;
+
+        if (block_PeekOffsetBytes(&p_sys->bytestream, 0, buf, p_sys->i_frame_size)) {
+            free(buf);
+            return NULL;
+        }
+
+        uint16_t crc = 0;
+        for (unsigned i = 0; i < p_sys->i_frame_size; i++)
+            crc = flac_crc16(crc, buf[i]);
+        free(buf);
+        p_sys->crc = crc;
+
    case STATE_NEXT_SYNC:
        /* TODO: If pp_block == NULL, flush the buffer without checking the
         * next sync word */
@@ -500,10 +605,25 @@ static block_t *Packetize(decoder_t *p_dec, block_t **pp_block)
                              &p_sys->i_bits_per_sample);

                if (i_frame_length) {
-                    p_sys->i_state = STATE_SEND_DATA;
-                    break;
+                    uint8_t crc_bytes[2];
+                    block_PeekOffsetBytes(&p_sys->bytestream,
+                        p_sys->i_frame_size - 2, crc_bytes, 2);
+                    /* Get the frame CRC */
+                    uint16_t stream_crc = (crc_bytes[0] << 8) | crc_bytes[1];
+                    /* Calculate the frame CRC: remove the last 2 bytes */
+                    uint16_t crc = flac_crc16_undo(p_sys->crc, crc_bytes[1]);
+                             crc = flac_crc16_undo(crc,        crc_bytes[0]);
+                    if (stream_crc != crc) {
+                        msg_Warn(p_dec, "Bad CRC for frame size %zu: 0x%x != 0x%x",
+                            p_sys->i_frame_size, crc, stream_crc);
+                    } else {
+                        p_sys->i_state = STATE_SEND_DATA;
+                        p_sys->crc = 0;
+                        break;
+                    }
                }
            }
+            p_sys->crc = flac_crc16(p_sys->crc, p_header[0]); /* update CRC */
            p_sys->i_frame_size++;
        }

@@ -511,6 +631,8 @@ static block_t *Packetize(decoder_t *p_dec, block_t **pp_block)
            if (p_sys->b_stream_info && p_sys->stream_info.max_framesize > 0 &&
                p_sys->i_frame_size > p_sys->stream_info.max_framesize) {
                block_SkipByte(&p_sys->bytestream);
+                msg_Warn(p_dec, "Frame is too big (%zu > %d), couldn't find start code",
+                        p_sys->i_frame_size, p_sys->stream_info.max_framesize);
                p_sys->i_state = STATE_NOSYNC;
                return NULL;
            }