PJSIP: Heap buffer overflow in Opus codec decoding

PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is a buffer overflow when decoding Opus audio frames due to insufficient buffer size validation in the Opus codec decode path. The FEC decode buffers (dec_frame[].buf) were allocated based on a PCM-derived formula: (sample_rate/1000) * 60 * channel_cnt * 2. At 8 kHz mono this yields only 960 bytes, but codec_parse() can output encoded frames up to MAX_ENCODED_PACKET_SIZE (1280) bytes via opus_repacketizer_out_range(). The three pj_memcpy() calls in codec_decode() copied input->size bytes without bounds checking, causing a heap buffer overflow.

N/A

堆缓冲区溢出

PJSIP 安全漏洞

PJSIP是pjsip开源的一个免费和开源的多媒体通信库，用C语言编写，实现基于标准的协议，如SIP, SDP, RTP, STUN, TURN，和ICE。 PJSIP 2.16及之前版本存在安全漏洞，该漏洞源于Opus编解码器解码路径中缓冲区大小验证不足，可能导致堆缓冲区溢出。

N/A

N/A