Fix overflow and OOB read for large ext lengths.

With an 8+ MB packet it is possible to craft an extension length
 that would overflow, bypassing the checks to ensure the extension
 data remains inside the packet.
This patch fixes that and adds a test for it.

Author: Timothy B. Terriberry

src/extensions.c

@@ -69,24 +69,23 @@ opus_int32 skip_extension(const unsigned char **data, opus_int32 len, opus_int32
          return 0;
       } else {
          opus_int32 bytes=0;
+         opus_int32 lacing;
          *header_size = 1;
          do {
             (*data)++;
             len--;
-            if (len == 0)
+            if (len < 1)
                return -1;
-            bytes += **data;
+            lacing = **data;
+            bytes += lacing;
             (*header_size)++;
-         } while (**data == 255);
+            len -= lacing;
+         } while (lacing == 255);
+         if (len < 1)
+            return -1;
          (*data)++;
          len--;
-         if (bytes <= len)
-         {
-            len -= bytes;
-            *data += bytes;
-         } else {
-            return -1;
-         }
+         *data += bytes;
          return len;
       }
    }

tests/test_opus_extensions.c

@@ -303,6 +303,20 @@ void test_extensions_parse_fail(void)
    len = opus_packet_extensions_generate(packet, sizeof(packet), ext, 4, 0);
    result = opus_packet_extensions_parse(packet, len, ext_out, &nb_ext);
    expect_true(result == OPUS_BUFFER_TOO_SMALL, "expected OPUS_BUFFER_TOO_SMALL");
+
+   /* overflow for long extension length */
+   {
+      /* about 8 MB */
+#define LENSIZE ((1U<<31)/255 + 1)
+      unsigned char *buf = malloc(LENSIZE+1);
+      len = LENSIZE+1;
+      buf[0] = 33<<1 | 1;
+      memset(buf + 1, 0xFF, LENSIZE - 1);
+      buf[LENSIZE] = 0xFE;
+      result = opus_packet_extensions_parse(buf, len, ext_out, &nb_ext);
+      expect_true(result == OPUS_INVALID_PACKET, "expected OPUS_INVALID_PACKET");
+      free(buf);
+   }
 }
 
 #define NB_RANDOM_EXTENSIONS 100000000