# HG changeset patch
# User rtognimp
# Date 1145826691 0
# Node ID d6a5ed01acdf024381447b08a071b9e6cd8e6e2f
# Parent  c925a46f7594e4808f0fe4f769e236a4d5c9e9b3
Vorbis specs requires blocksize_1 >= blocksize_0, error if it's false.
Predict buffer size from blocksize_1 and number of channels and make
sure this does not exceed AVCODEC_MAX_AUDIO_FRAME_SIZE

Patch by Uoti Urpala >>> uoti |.| urpala |@| pp1 |.| inet |.| fi <<<

diff -r c925a46f7594 -r d6a5ed01acdf vorbis.c
--- a/vorbis.c	Sat Apr 22 21:21:16 2006 +0000
+++ b/vorbis.c	Sun Apr 23 21:11:31 2006 +0000
@@ -872,10 +872,17 @@
     bl1=get_bits(gb, 4);
     vc->blocksize_0=(1<<bl0);
     vc->blocksize_1=(1<<bl1);
-    if (bl0>13 || bl0<6 || bl1>13 || bl1<6) {
+    if (bl0>13 || bl0<6 || bl1>13 || bl1<6 || bl1<bl0) {
         av_log(vc->avccontext, AV_LOG_ERROR, " Vorbis id header packet corrupt (illegal blocksize). \n");
         return 3;
     }
+    // output format int16
+    if (vc->blocksize_1/2 * vc->audio_channels * 2 >
+                                             AVCODEC_MAX_AUDIO_FRAME_SIZE) {
+        av_log(vc->avccontext, AV_LOG_ERROR, "Vorbis channel count makes "
+               "output packets too large.\n");
+        return 4;
+    }
     vc->swin=vwin[bl0-6];
     vc->lwin=vwin[bl1-6];