diff options
| author | Jason Garrett-Glaser <[email protected]> | 2010-10-27 16:30:01 +0000 |
|---|---|---|
| committer | Janne Grunau <[email protected]> | 2011-01-24 23:25:45 +0100 |
| commit | 4ac56bf7dc2c617c9fe6dce9167d499dbb8a9b76 (patch) | |
| tree | a3be5e5b29b9877a0ef24a2ada8c3695bc7c5d6a | |
| parent | a38489c0d8ed0b37135a0e8c86efde06dd2a17c4 (diff) | |
Fix crashes in vorbis decoding found by zzuf
Fixes issue 2322.
Originally committed as revision 25591 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 3dde66752d59dfdd0f3727efd66e7202b3c75078)
Signed-off-by: Janne Grunau <[email protected]>
| -rw-r--r-- | libavcodec/vorbis_dec.c | 32 |
1 files changed, 21 insertions, 11 deletions
diff --git a/libavcodec/vorbis_dec.c b/libavcodec/vorbis_dec.c index 8c56400c77..a0f2342d7c 100644 --- a/libavcodec/vorbis_dec.c +++ b/libavcodec/vorbis_dec.c @@ -61,8 +61,8 @@ typedef struct vorbis_floor0_s vorbis_floor0; typedef struct vorbis_floor1_s vorbis_floor1; struct vorbis_context_s; typedef -uint_fast8_t (* vorbis_floor_decode_func) - (struct vorbis_context_s *, vorbis_floor_data *, float *); +int (* vorbis_floor_decode_func) + (struct vorbis_context_s *, vorbis_floor_data *, float *); typedef struct { uint_fast8_t floor_type; vorbis_floor_decode_func decode; @@ -453,11 +453,11 @@ static int vorbis_parse_setup_hdr_tdtransforms(vorbis_context *vc) // Process floors part -static uint_fast8_t vorbis_floor0_decode(vorbis_context *vc, - vorbis_floor_data *vfu, float *vec); +static int vorbis_floor0_decode(vorbis_context *vc, + vorbis_floor_data *vfu, float *vec); static void create_map(vorbis_context *vc, uint_fast8_t floor_number); -static uint_fast8_t vorbis_floor1_decode(vorbis_context *vc, - vorbis_floor_data *vfu, float *vec); +static int vorbis_floor1_decode(vorbis_context *vc, + vorbis_floor_data *vfu, float *vec); static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) { GetBitContext *gb = &vc->gb; @@ -1002,8 +1002,8 @@ static av_cold int vorbis_decode_init(AVCodecContext *avccontext) // Read and decode floor -static uint_fast8_t vorbis_floor0_decode(vorbis_context *vc, - vorbis_floor_data *vfu, float *vec) +static int vorbis_floor0_decode(vorbis_context *vc, + vorbis_floor_data *vfu, float *vec) { vorbis_floor0 *vf = &vfu->t0; float *lsp = vf->lsp; @@ -1027,6 +1027,9 @@ static uint_fast8_t vorbis_floor0_decode(vorbis_context *vc, } AV_DEBUG("floor0 dec: booknumber: %u\n", book_idx); codebook = vc->codebooks[vf->book_list[book_idx]]; + /* Invalid codebook! */ + if (!codebook.codevectors) + return -1; while (lsp_len<vf->order) { int vec_off; @@ -1112,8 +1115,8 @@ static uint_fast8_t vorbis_floor0_decode(vorbis_context *vc, return 0; } -static uint_fast8_t vorbis_floor1_decode(vorbis_context *vc, - vorbis_floor_data *vfu, float *vec) +static int vorbis_floor1_decode(vorbis_context *vc, + vorbis_floor_data *vfu, float *vec) { vorbis_floor1 *vf = &vfu->t1; GetBitContext *gb = &vc->gb; @@ -1490,13 +1493,20 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) for (i = 0; i < vc->audio_channels; ++i) { vorbis_floor *floor; + int ret; if (mapping->submaps > 1) { floor = &vc->floors[mapping->submap_floor[mapping->mux[i]]]; } else { floor = &vc->floors[mapping->submap_floor[0]]; } - no_residue[i] = floor->decode(vc, &floor->data, ch_floor_ptr); + ret = floor->decode(vc, &floor->data, ch_floor_ptr); + + if (ret < 0) { + av_log(vc->avccontext, AV_LOG_ERROR, "Invalid codebook in vorbis_floor_decode.\n"); + return -1; + } + no_residue[i] = ret; ch_floor_ptr += blocksize / 2; } |