mod_fsv: Check audio/video frame size for possible buffer overflow and abort playback

Audio frame sizes were already being checked for overflow,
but video frame sizes were taken as-is, which would
lead to heap corruption.

In case an overflow has been detected, playback is aborted immediately as
there is no way we can ever recover from such a situation due to the lack
of a (well-known) frame header signature that could be used to skip over
the corrupted part of the streams.

Signed-off-by: Stefan Knoblich <stkn@openisdn.net>

src/mod/applications/mod_fsv/mod_fsv.c

@@ -403,6 +403,15 @@ SWITCH_STANDARD_APP(play_fsv_function)
 			switch_rtp_hdr_t *hdr = vid_frame.packet;
 			bytes &= ~VID_BIT;
 
+			/*
+			 * Frame is larger than available buffer space. This error is non-recoverable due to the
+			 * structure of the .fsv format (no frame header signature to re-sync).
+			 */
+			if (bytes > ((int) vid_frame.buflen + 12)) {
+				switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_CRIT, "Corrupt .fsv video frame header is overflowing read buffer, aborting!\n");
+				break;
+			}
+
 			if ((vid_frame.packetlen = read(fd, vid_frame.packet, bytes)) != (uint32_t) bytes) {
 				break;
 			}
@@ -425,10 +434,15 @@ SWITCH_STANDARD_APP(play_fsv_function)
 			}
 			last = ts;
 		} else {
+			/*
+			 * Frame is larger than available buffer space. This error is non-recoverable due to the
+			 * structure of the .fsv format (no frame header signature to re-sync).
+			 */
 			if (bytes > (int) write_frame.buflen) {
-				bytes = write_frame.buflen;
+				switch_log_printf(SWITCH_CHANNEL_LOG, SWITCH_LOG_CRIT, "Corrupt .fsv audio frame header is overflowing read buffer, aborting!\n");
+				break;
 			}
-		    
+
 			if ((write_frame.datalen = read(fd, write_frame.data, bytes)) <= 0) {
 				break;
 			}