Reported by clang's static analysis in
 https://github.com/xiph/opusfile/issues/16
This would have taken about 22 TB of junk data before the first
 decoded sample to trigger, so not very likely to occur in
 practice.

Thanks to kcgen for filing the report.

 src/opusfile.c:3242:18: warning: implicit conversion from 'unsigned
       int' to 'float' changes value from 4294967295 to 4294967296
       [-Wimplicit-int-float-conversion]
           r=seed*OP_PRNG_GAIN;
                  ^~~~~~~~~~~~
 src/opusfile.c:3179:29: note: expanded from macro 'OP_PRNG_GAIN'
 # define OP_PRNG_GAIN (1.0F/0xFFFFFFFF)
                            ~^~~~~~~~~~

The ftime() function, introduced in V7 Unix (1979), gets the current
time in seconds and milliseconds, and time zone information.  It was
marked as a legacy interface in POSIX.1-2001, and removed altogether
from POSIX.1-2008.  The gettimeofday() function, originally from
4.1 BSD, gets the current time in seconds and microseconds, and optional
time zone information, and was marked as obsolete in POSIX.1-2008
although it was kept in the standard.  The POSIX recommended function
for getting time with sub-second resolution is clock_gettime(), which
was introduced in POSIX.1b-1993 and is now part of the base POSIX
standard; it supports multiple clocks and nanosecond resolution.
Additionally the function timespec_get() was introduced in C11 and also
supports nanosecond resolution.

To support dates beyond the year 2038, glibc and other libraries are
being updated to support 64-bit time_t even on 32-bit architectures,
requiring new implementations of interfaces that work with time.  As
part of this effort, the ftime() function was deprecated in glibc 2.31
(released February 1, 2020), a warning is now issued when building code
that uses this function, and removal is planned for a future version of
glibc (https://sourceware.org/pipermail/libc-announce/2020/000025.html).

ftime() is used in http.c to measure time intervals with millisecond
resolution.  To avoid the glibc 2.31 deprecation warning and further
issues when the function is removed entirely from glibc, clock_gettime()
is now used instead when it is available in the C library, as it is on
current Linux systems.  Prior to glibc 2.17, clock_gettime() required
linking with librt; on such systems ftime() will continue to be used, to
avoid an additional library dependency.  macOS provides clock_gettime()
starting in macOS 10.12; earlier versions will continue to use ftime().
Windows provides ftime() but not clock_gettime(), so ftime() will
continue to be used on Windows.

ftime(), gettimeofday(), and clock_gettime() with the CLOCK_REALTIME
clock get the "real time", which is subject to jumps if set by an
administrator or time service.  The CLOCK_MONOTONIC clock does not have
this problem and is more suitable for measuring time intervals.  On
Linux, the CLOCK_BOOTTIME clock measures the time since last boot and is
the same as CLOCK_MONOTONIC except that the Linux CLOCK_MONOTONIC clock
does not advance when the system is suspended.  Because it is used to
measure time intervals, CLOCK_BOOTTIME or CLOCK_MONOTONIC are used when
available, when clock_gettime() is used.  However the only clock
required by POSIX.1-2008 is CLOCK_REALTIME, so that will be used if the
other clocks are not available.

It is possible for us to buffer multiple out-of-sequence pages with no packets
 on them before getting one that does have packets.
In this case, libogg will report each hole in the page sequence numbers
 separately.
Since we were only checking for the actual packets once after encountering a
 hole, if the total number of holes was even, we could exit
 op_fetch_and_process_page() with valid packets still in the libogg buffer.
Then, if the next page had a lot of packets, we might wind up with a total of
 more than 255 of them, overflowing our stack buffer for their durations.
That's bad.

Instead, make sure we always drain all hole reports from libogg any time we
 encounter one, to ensure we get the actual packets behind it.

Thanks to Felicia Lim for the report.

The C standard says that calling library functions (including
 memcpy) with invalid arguments (including a NULL pointer) is
 undefined behavior unless otherwise noted (which memcpy doesn't).
op_filter_read_native() invokes op_read_native() with NULL for the
 _pcm buffer, which triggers such a memcpy invocation.
Even though it should be perfectly fine in practice to pass NULL to
 memcpy when copying zero bytes, don't do it.

Thanks to a person who did not wish to be credited for the report.

The seeking functions on Windows internally dispatch to
 SetFilePointer(), whose behavior is undefined if you do not call
 it on "a file stored on a seeking device".
Check the type of file when it is opened and manually force seeks
 to fail if we do not have such a file.

Thanks to L W Anhonen for the report and Mark Harris for pointing
 out the solution used by opus-tools to avoid this problem.

When seeking using SEEK_END, the win32-specific implementation of
 op_fseek() would add the offset to the file size to get the
 absolute seek position.
However, op_mem_seek() and op_http_stream_seek() would subtract the
 offset instead.
The documentation of fseek() is not at all clear which behavior is
 correct, but I believe that the op_fseek() behavior is.

This inconsistency didn't matter for opusfile in practice, because
 we only ever use SEEK_END with an offset of 0.
However, the user can also open files with our API and use the
 resulting callbacks for their own purposes, so it would be good to
 be consistent for them.

Thanks to a person who did not wish to be credited for the report.

Stefan Strogin authored 6 years ago and Ralph Giles committed 6 years ago

LibreSSL is not yet fully API compatible with OpenSSL 1.0.2 and later,
However many APIs from OpenSSL 1.0.2 and 1.1 are already implemented in
LibreSSL 2.7.0 and later. Old approach works in newer LibreSSL version
as well, but it's not nice to force deprecated functions on LibreSSL
users.

Add additional conditionals for new LibreSSL versions to use the
available new APIs.

Signed-off-by: Ralph Giles <giles@thaumas.net>

Stefan Strogin authored 6 years ago and Timothy B. Terriberry committed 6 years ago

LibreSSL defines OPENSSL_VERSION_NUMBER to 0x20000000L, but its API is
compatible with OpenSSL 1.0.1.
Therefore redefine OPENSSL_VERSION_NUMBER to 0x1000115fL (1.0.1u) if
LibreSSL is used.

Fixes: #2327

Mark Harris authored 6 years ago and Timothy B. Terriberry committed 6 years ago

The comment must be just before the label to suppress the warning.

Mark Harris authored 6 years ago and Timothy B. Terriberry committed 6 years ago

Silence warning: Value stored to 'comment_lengths' is never read

James Zern authored 7 years ago and Timothy B. Terriberry committed 7 years ago

Check for overflow with a negative diff.

Signed-off-by: Timothy B. Terriberry <tterribe@xiph.org>

James Zern authored 7 years ago and Timothy B. Terriberry committed 7 years ago

Calculate discard_count directly with op_granpos_diff. this works
because _pcm_offset == (target_gp - pcm_start) and diff == (gp -
pcm_start).

Signed-off-by: Timothy B. Terriberry <tterribe@xiph.org>

We very carefully ensured _cur_link + 1 was in bounds, and then
 dereferenced nlinks + 1 (guaranteed to be out of bounds) instead.
Introduced in commit f83675eb.

Thanks to the Google Autfuzz project for the report.

Fixes #2326

op_fopen() and op_freopen() declare these arguments as non-NULL,
 so when building with mingw, the compiler reasonably complains
 when we check to see if they're NULL.
We could remove the OP_ARG_NONNULL tags, but the behavior of
 _wopen/_wfreopen appears to be to crash on NULL for either
 parameter.
On Linux, the behavior appears to be to handle a NULL path (fopen
 returns NULL with errno set to EFAULT, and freopen returns the
 passed FILE * with errno set to EFAULT), but crash on a NULL mode.
Keeping the OP_ARG_NONNULL tags promises that passing NULL results
 in undefined behavior, which is at least consistent with the
 behavior being different on different platforms.
It's also consistent with the ABI promises of previous releases,
 which compilers linking against libopusfile might have taken
 advantage of.

We inherited the term "source" from vorbisfile's "datasource", but
 were using it interchangeably with stream.
At least one user did not even realize the that the _source
 parameter passed to op_open_callbacks() was the same as the
 _stream parameter taken by those callbacks, which is reasonable
 because we never said so.
Consistently use "stream" instead of "source" in both the
 documentation and the code.

These two asserts used to be in separate branches, but the code was
 consolidated into a single branch by e6350334.
However, the asserts were not updated at the same time.
With an IPv6 address, the sockaddr_in assert would always fail.

Thanks to Mark Harris for the report.

The tags have two possible representations of the binary suffix
 data.
An implicit one: if comment_lengths and user_comments are NULL,
 then the length of the binary suffix data is 0 and the pointer to
 that data is also implicitly taken to be NULL.
And an explicit one: if comment_lengths and user_comments are
 non-NULL, then comment_lengths[comments] and
 user_comments[comments] contains the length and pointer to the
 binary suffix data (where "comments" is the number of user
 comments).

The implicit one allows us to initialize a tags struct without
 doing any allocations, which ensures it always succeeds.
op_tags_ensure_capacity() may upgrade the implicit representation
 to the explicit representation.
However, when doing so, it stores the implicit (0, NULL) values
 in their new explicit locations at the end of the array assuming
 the requested capacity will become the new size.
If the caller of op_tags_ensure_capacity() then fails before
 enlarging the array to that size, then comment_lengths and
 user_comments will be non-NULL, but the explicit locations for the
 binary suffix data for the _old_ size may not have been
 initialized.

In particular, in opus_tags_parse_impl(), if there was exactly one
 comment, and any of the three checks at the start of the main loop
 failed, then the explicit locations for the binary suffix data
 would remain uninitialized, and the call to opus_tags_clear() in
 the caller would attempt to free them.
For counts larger than 1, the extra line marked "Needed by
 opus_tags_clear()" will update the explicit location as the array
 grows, but with a count of 1 this line never gets a chance to run.

This patch fixes the problem by making op_tags_ensure_capacity()
 promote the implicit representation to explicit at _both_ the old
 and new array sizes.
We could have fixed up opus_tags_parse_impl() to do this instead,
 as suggested in the original bug reports, but doing it this way
 ensures that the tags are always in a valid state when
 op_tags_ensure_capacity() returns.

Thanks to the Google AutoFuzz Team for the report.

Fixes #2324
Fixes #2325

op_raw_seek() will fail if you try to seek to a byte position
 beyond the end of the file.
However, the "end" is defined in terms of _of->end, which is
 specifically the end of the last Ogg page found in the underlying
 source (excluding any trailing non-Ogg data).
op_raw_total(_of,-1) returns the total size of the stream by using
 _of->end, but it was also subtracting the offset of the first Opus
 page in the first link.
Since there might have been other Ogg streams concurrently
 multiplexed with the first Opus stream whose BOS pages appear
 first, or there might simply be non-Ogg junk at the start, that
 left the caller with no way to determine the valid range of byte
 offsets that could be passed to op_raw_seek().

Instead, make op_raw_total() pretend the first link starts at
 offset 0, and explicitly document that it's what defines the range
 of valid values to op_raw_seek().
This is how our own seeking_example.c was using it, anyway.

Previously, when we encountered a hole (a gap in the page sequence
 numbers), we would save off all of the packets from the first page
 after the hole, but not timestamp them.
That meant when they were actually decoded, op_pcm_tell() would
 report a timestamp of 0 until reaching the last packet on that
 page.

Instead, handle holes just like a raw seek.
We reset the granule position tracking, and attempt to timestamp
 packets backwards from the end of the page.
If the first page after the hole is an EOS page, we just throw it
 away (rather than risk playing invalid samples due to incorrect
 end-trimming).
We also throw away the first 80 ms of audio after a hole, to allow
 the decoder state to reconverge.

This patch also updates the example to report the hole and
 continue decoding, rather than immediately stopping when a hole is
 encountered, in order to test the above features.

Just in case some bozo makes a chained stream with 272,389 links
 with 16 samples in each (coded at 16 Mbps, including overheads).
This avoids quadratic behavior for simple straight-through
 playback: we no longer do a linear search on each chain boundary
 or each call to op_pcm_tell().
N seeks with M chains still requires O(N*log(M)) work.

No code changes.

As of version 1.0.2, OpenSSL can finally do automatic hostname
 validation for us.
Their implementation is likely to have received much better review
 than ours, and there are other good reasons to prefer it, so use it
 when we can.

RFC 6125 says that if the host is an IP address, a subjectAltName of
 type iPAddress must (no 2119 caps) be present and must be used.
We would still fall back to checking the Common Name if no
 subjectAltName was present.

https://marc.info/?l=openssl-dev&m=139617145216047&w=2 interprets
 RFC 6125 to say that if the host is a DNS name, but the certificate
 only contains a subjectAltName of type iPAddress, then we should
 still fall back to checking the Common Name.
We would only check the Common Name if there was no subjectAltName
 of any type.

Restructure the hostname validation to check IP addresses up-front
 and fall back to checking the Common Name in the proper cases.

sezero authored 8 years ago and Timothy B. Terriberry committed 8 years ago

If, e.g. using a differently configured config_types.h with a long
vs. int conflict in the int32 typedef, this would have resulted in
a build failure.

Signed-off-by: Timothy B. Terriberry <tterribe@xiph.org>

eroen authored 8 years ago and Timothy B. Terriberry committed 8 years ago

This fixes a build failure from undefined references to ASN1_STRING_data in
libopusurl.so.

ASN1_STRING_data is deprecated in openssl-1.1.0. The new ASN1_STRING_get0_data
is identical, except the returned string may not be modified, which we don't
do anyway.

Also include missing asn1.h header to silence compiler warnings.

X-Gentoo-Bug: 592456
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=592456

Commit d0c82543 broke builds
with --enable-assertions with error: 'tag_len' undeclared.

Fixing the simple typo in the symbol reference resolves the issue.

Some of these pointed to real potential overflows (given arbitrary
 inputs by the calling application).
I was sad about stripping const qualifiers from the struct addrinfo
 pointers, but MSVC seems to erroneously think that an array of
 pointers to constant data is itself a pointer to constant data (or
 maybe that it is not compatible with a const void *?), and
 converting the memmove()s to for loops triggered an erroneous
 warning about out-of-bounds array accesses in gcc (but on only one
 of the two identical loops).

The API and ABI is not backwards-compatible.
This is based on the prerelease version 1.1.0-pre5.
It should continue to work with older versions of OpenSSL.

Thanks to Ron Lee and the Debian project for reporting the build
 errors and testing the patch.

If the parsing fails before all comments are filled in, we will
 attempt to free any binary metadata at the position one past the
 last comment, which will be uninitialized.
Introduced in commit 0221ca95.

According to the API, you can pass in a NULL OpusTags object to
 simply check if the comment packet is valid, without storing the
 parsed results.
However, the additions to store binary metadata in commit
 0221ca95 did not check for this.

Fixes Coverity CID 149873.

In 0221ca95 the allocation result went from being stored
 directly in "_tags->user_comments[ncomments]" to being stored in
 the temporary "comment".
However, the NULL check for allocation failure was not updated to
 match.
This meant this function would almost always fail, unless you had
 added binary metadata first.

Fixes Coverity CID 149874.

This bug appears to have been present since the original code
 import.
This was a "clever" rearrangement of the control flow from the
 _fetch_and_process_packet() in vorbisfile to use a do ... while(0)
 instead of a "while(1)".
However, this also makes "continue" equivalent to "break": it does
 not actually go back to the top of the loop, because the loop
 condition is false.

This bug was harmless, because ogg_stream_pagein() then refuses to
 ingest a page with the wrong serialno, but we can simplify things
 by fixing it.
The "not strictly necessary" loop is now completely unnecessary.
The extra checks that existed in vorbisfile have all been moved to
 later in the main loop, so we can just continue that one directly,
 with no wasted work, instead of embedding a smaller loop inside.

Fixes Coverity CID 149875.

In the non-seekable case, we'll undercount some bytes at the start
 of a new link.
Still thinking about the best way to address this, but leaving a
 comment so I don't forget.

Going with "no" for now, but leave a reminder in the source code
 that this is a debatable question.