vorbisdec: Check bark_map_size.

This fixes potential divisions by zero and out of array accesses.

Reported-by: Dale Curtis <dalecurtis@chromium.org>
Found-by: inferno@chromium.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2c16bf2de07c68513072bf3cc96401d2c6291a3e)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

1 files changed, 4 insertions, 0 deletions

diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c
index 4bd1cf22a3..5e23580d92 100644
--- a/libavcodec/vorbisdec.c
+++ b/libavcodec/vorbisdec.c
@@ -595,6 +595,10 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc)
                        "Floor 0 amplitude bits is 0.\n");
                 return AVERROR_INVALIDDATA;
             }
+            if (floor_setup->data.t0.bark_map_size == 0) {
+                av_log(vc->avccontext, AV_LOG_ERROR, "Floor 0 bark map size is 0.\n");
+                return AVERROR_INVALIDDATA;
+            }
             floor_setup->data.t0.amplitude_offset = get_bits(gb, 8);
             floor_setup->data.t0.num_books        = get_bits(gb, 4) + 1;