The function decodeFirstFrame() allocates memory based on data from
the mp3 header. This can make the buffer size allocation overflow, or
lead to a DoS attack with a very large buffer. Cap this buffer at 8
million frames, which should really be enough for reasonable files.
A crafted mp4 file could cause an integer overflow in mp4_decode
function in src/inputPlugins/mp4_plugin.c. mp4ff_num_samples()
function returns some tainted value. sizeof(float) * numSamples is an
integer overflow operation if numSamples is too huge, so xmalloc will
allocate a small memory region. I constructe a mp4 file, and use
faad2 to open the file. mp4ff_num_samples() returns -1. So I think mpd
bears from the same problem.
The previous patch enabled these warnings. In Eric's branch, they
were worked around with a generic deconst_ptr() function. There are
several places where we can add "const" to pointers, and in others,
libraries want non-const strings. In the latter, convert string
literals to "static char[]" variables - this takes the same space, and
seems safer than deconsting a string literal.
During the tag library refactoring, the shout plugin was disabled, and
I forgot about adapting it to the new API. Apply the same fixes to
the oggflac decoder plugin.
This releases several include file dependencies. As a side effect,
"CHUNK_SIZE" isn't defined by decoder_api.h anymore, so we have to
define it directly in the plugins which need it. It just isn't worth
it to add it to the decoder plugin API.
It was possible for the decoder thread to go into an endless loop
(flac and oggflac decoders): when a "STOP" command arrived, the Read()
callback would return 0, but the EOF() callback returned false. Fix:
when decoder_get_command()!=NONE, return EOF==true.
When we introduced decoder_read(), we added code which aborts the read
operation when a decoder command arrives. Several plugins however did
not expect that when they were converted to decoder_read(). Add
proper checks to the mp3 and flac decoder plugins.
The code said "decoder_command==STOP" because that was a conversion
from the old "dc->stop" test. As we can now check for all commands in
one test, we can simply rewrite that to decoder_command!=NONE.
The old code called can_seek() with the uninitialized pointer
"isp.is". Has this ever worked? Anyway, initialize "isp" first, then
call can_seek(&isp).
Move everything related to finding and initializing the WVC stream to
wavpack_open_wvc(). This greatly simplifies its error handling and
the function wavpack_streamdecode().
On our way to stabilize the decoder API, we will one day remove the
input stream functions. The most basic function, read() will be
provided by decoder_api.h with this patch. It already contains a loop
(still with manual polling), error/eof handling and decoder command
checks. This kind of code used to be duplicated in all decoder
plugins.
If the input stream is not seekable, the try_decode() function
consumes valuable data, which is not available to the decode()
function anymore. This means that the decode() function does not
parse the header correctly. Better skip the detection if we cannot
seek. Or implement better buffering, something like unread() or
buffered rewind().
The return value of audio_linear_dither() is always casted to
mpd_sint16. Returning long does not make sense, and consumed 8 bytes
on a 64 bit platform.
The output buffer is always flushed after being appended to, which
allows us to assume it is always empty. Always start writing at
outputBuffer, don't remember outputPtr.
Fill the whole output buffer at a time by using dither_buffer()'s
ability to decode blocks. Calculate how many samples fit into the
output buffer before each invocation.
Simplifying loops for performance: why check dropSamplesAtEnd in every
iteration, when we could modify the loop boundary? The (writable)
variable samplesLeft can be eliminated; add a write-once variable
pcm_length instead, which is used for the loop condition.
The variable samplesPerFrame is used only in one single closure. Make
it local to this closure. The compiler will probably convert it to a
register anyway.
Preparing for simplifying and thus speeding up the dithering code:
moved dithering to a separate function which contains a trivial loop.
With this patch, only one sample is dithered at a time, but the
following patches will allow us to dither a whole block at a time,
without complicated buffer length checks.
Copy some code from aac_decode() to aac_stream_decode() and apply
necessary changes to allow streaming audio data. Both functions might
be merged later.
initAacBuffer() should really only initialize the buffer; currently,
it also reads data from the input stream and parses the header. All
of the AAC buffer code should probably be moved to a separate library
anyway.
Shifting from the buffer queue is a common operation, and should be
provided as a separate function. Move code to aac_buffer_shift() and
add a bunch of assertions.
When checking for EOF, we should not check whether the read request
has been fully satisified. The InputStream API does not guarantee
that readFromInputStream() always fills the whole buffer, if EOF is
not reached. Since there is the function inputStreamAtEOF() dedicated
for this purpose, we should use it for EOF checking after
readFromInputStream()==0.
Fill the AacBuffer even when nothing has been consumed yet. The
function should not check for consumed data, but for free space at the
end of the buffer.