libavcodec.hg: vorbis_dec.c comparison

comparison vorbis_dec.c @ 10250:6e01bba7a930 libavcodec

Check begin/end/partition_size. 23_vorbis_sane_partition.patch by chrome. Also this should be better documented but i prefer not to leave potential security issues open due to missing documentation.

author	michael
date	Wed, 23 Sep 2009 13:08:48 +0000
parents	d82fb1889446
children	b9ea1706bf27

comparison

equal deleted inserted replaced

-:e56302a77ca9
+:6e01bba7a930
 #include "xiph.h"
 #define V_NB_BITS 8
 #define V_NB_BITS2 11
 #define V_MAX_VLCS (1<<16)
+#define V_MAX_PARTITIONS (1<<20)
 #ifndef V_DEBUG
 #define AV_DEBUG(...)
 #endif
 AV_DEBUG(" %d. residue type %d \n", i, res_setup->type);
 res_setup->begin=get_bits(gb, 24);
 res_setup->end=get_bits(gb, 24);
 res_setup->partition_size=get_bits(gb, 24)+1;
+/* Validations to prevent a buffer overflow later. */
+if (res_setup->begin>res_setup->end
+|| res_setup->end>vc->blocksize[1]/(res_setup->type==2?1:2)
+|| (res_setup->end-res_setup->begin)/res_setup->partition_size>V_MAX_PARTITIONS) {
+av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %d, %d, %d, %d, %d\n", res_setup->type, res_setup->begin, res_setup->end, res_setup->partition_size, vc->blocksize[1]/2);
+return 1;
+}
 res_setup->classifications=get_bits(gb, 6)+1;
 res_setup->classbook=get_bits(gb, 8);
 if (res_setup->classbook>=vc->codebook_count) {
 av_log(vc->avccontext, AV_LOG_ERROR, "classbook value %d out of range. \n", res_setup->classbook);
 return 1;

Mercurial > libavcodec.hg

comparison vorbis_dec.c @ 10250:6e01bba7a930 libavcodec