Mercurial > libavcodec.hg

changeset 10254:b9f5f8b8f073 libavcodec

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Check submap indexes. 10_vorbis_submap_indexes.patch by chrome. I am applying this even though Reimar had some comments to improve it as it fixes a serious security issue and I do not want to leave such things unfixed.
author michael
date Wed, 23 Sep 2009 14:19:17 +0000
parents 64dd9515b93b
children b81ec4ac8f96
files vorbis_dec.c
diffstat 1 files changed, 13 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/vorbis_dec.c	Wed Sep 23 13:52:56 2009 +0000
+++ b/vorbis_dec.c	Wed Sep 23 14:19:17 2009 +0000
@@ -752,9 +752,20 @@
         }
 
         for(j=0;j<mapping_setup->submaps;++j) {
+            int bits;
             skip_bits(gb, 8); // FIXME check?
-            mapping_setup->submap_floor[j]=get_bits(gb, 8);
-            mapping_setup->submap_residue[j]=get_bits(gb, 8);
+            bits=get_bits(gb, 8);
+            if (bits>=vc->floor_count) {
+                av_log(vc->avccontext, AV_LOG_ERROR, "submap floor value %d out of range. \n", bits);
+                return -1;
+            }
+            mapping_setup->submap_floor[j]=bits;
+            bits=get_bits(gb, 8);
+            if (bits>=vc->residue_count) {
+                av_log(vc->avccontext, AV_LOG_ERROR, "submap residue value %d out of range. \n", bits);
+                return -1;
+            }
+            mapping_setup->submap_residue[j]=bits;
 
             AV_DEBUG("   %d mapping %d submap : floor %d, residue %d \n", i, j, mapping_setup->submap_floor[j], mapping_setup->submap_residue[j]);
         }