Mercurial > libavcodec.hg
comparison vorbis_dec.c @ 10244:ae97152542d1 libavcodec
Add checks for per-packet mode indexes and per-header mode mapping indexes.
12_vorbis_mode_indexes.patch by chrome
maybe exploitable
| author | michael |
|---|---|
| date | Wed, 23 Sep 2009 12:09:33 +0000 |
| parents | add8ca5921ab |
| children | 8da436e9793d |
comparison
equal
deleted
inserted
replaced
| 10243:add8ca5921ab | 10244:ae97152542d1 |
|---|---|
| 791 vorbis_mode *mode_setup=&vc->modes[i]; | 791 vorbis_mode *mode_setup=&vc->modes[i]; |
| 792 | 792 |
| 793 mode_setup->blockflag=get_bits1(gb); | 793 mode_setup->blockflag=get_bits1(gb); |
| 794 mode_setup->windowtype=get_bits(gb, 16); //FIXME check | 794 mode_setup->windowtype=get_bits(gb, 16); //FIXME check |
| 795 mode_setup->transformtype=get_bits(gb, 16); //FIXME check | 795 mode_setup->transformtype=get_bits(gb, 16); //FIXME check |
| 796 mode_setup->mapping=get_bits(gb, 8); //FIXME check | 796 mode_setup->mapping=get_bits(gb, 8); |
| 797 if (mode_setup->mapping>=vc->mapping_count) { | |
| 798 av_log(vc->avccontext, AV_LOG_ERROR, "mode mapping value %d out of range. \n", mode_setup->mapping); | |
| 799 return 1; | |
| 800 } | |
| 797 | 801 |
| 798 AV_DEBUG(" %d mode: blockflag %d, windowtype %d, transformtype %d, mapping %d \n", i, mode_setup->blockflag, mode_setup->windowtype, mode_setup->transformtype, mode_setup->mapping); | 802 AV_DEBUG(" %d mode: blockflag %d, windowtype %d, transformtype %d, mapping %d \n", i, mode_setup->blockflag, mode_setup->windowtype, mode_setup->transformtype, mode_setup->mapping); |
| 799 } | 803 } |
| 800 return 0; | 804 return 0; |
| 801 } | 805 } |
| 1448 if (vc->mode_count==1) { | 1452 if (vc->mode_count==1) { |
| 1449 mode_number=0; | 1453 mode_number=0; |
| 1450 } else { | 1454 } else { |
| 1451 mode_number=get_bits(gb, ilog(vc->mode_count-1)); | 1455 mode_number=get_bits(gb, ilog(vc->mode_count-1)); |
| 1452 } | 1456 } |
| 1457 if (mode_number>=vc->mode_count) { | |
| 1458 av_log(vc->avccontext, AV_LOG_ERROR, "mode number %d out of range.\n", mode_number); | |
| 1459 return -1; | |
| 1460 } | |
| 1453 vc->mode_number=mode_number; | 1461 vc->mode_number=mode_number; |
| 1454 mapping=&vc->mappings[vc->modes[mode_number].mapping]; | 1462 mapping=&vc->mappings[vc->modes[mode_number].mapping]; |
| 1455 | 1463 |
| 1456 AV_DEBUG(" Mode number: %d , mapping: %d , blocktype %d \n", mode_number, vc->modes[mode_number].mapping, vc->modes[mode_number].blockflag); | 1464 AV_DEBUG(" Mode number: %d , mapping: %d , blocktype %d \n", mode_number, vc->modes[mode_number].mapping, vc->modes[mode_number].blockflag); |
| 1457 | 1465 |