aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2014-04-30 04:12:29 +0200
committerCarl Eugen Hoyos <cehoyos@ag.or.at>2014-05-01 18:32:13 +0200
commit2c71734d9ef18b991c2947b67c4c663e0b09b72e (patch)
treed4b18c79758e9c91c670643f9631d4cb1c73eb4d
parent0759bdc315493f71871b36ed920d05a2a16965b0 (diff)
downloadffmpeg-2c71734d9ef18b991c2947b67c4c663e0b09b72e.tar.gz
avcodec/vorbisdec: try to workaround libvorbisenc bug
Fixes Ticket3590 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 0a266cb55af9794fc5cff695d35cae4111e4334f) Conflicts: libavcodec/vorbisdec.c
-rw-r--r--libavcodec/vorbisdec.c21
1 files changed, 17 insertions, 4 deletions
diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c
index 8d106b1170..3e1d41bca1 100644
--- a/libavcodec/vorbisdec.c
+++ b/libavcodec/vorbisdec.c
@@ -701,8 +701,7 @@ static int vorbis_parse_setup_hdr_residues(vorbis_context *vc)
res_setup->partition_size = get_bits(gb, 24) + 1;
/* Validations to prevent a buffer overflow later. */
if (res_setup->begin>res_setup->end ||
- res_setup->end > (res_setup->type == 2 ? vc->audio_channels : 1) * vc->blocksize[1] / 2 ||
- (res_setup->end-res_setup->begin) / res_setup->partition_size > V_MAX_PARTITIONS) {
+ (res_setup->end-res_setup->begin) / res_setup->partition_size > FFMIN(V_MAX_PARTITIONS, 65535)) {
av_log(vc->avctx, AV_LOG_ERROR,
"partition out of bounds: type, begin, end, size, blocksize: %"PRIu16", %"PRIu32", %"PRIu32", %u, %"PRIu32"\n",
res_setup->type, res_setup->begin, res_setup->end,
@@ -1325,6 +1324,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
uint8_t *classifs = vr->classifs;
unsigned pass, ch_used, i, j, k, l;
unsigned max_output = (ch - 1) * vlen;
+ int libvorbis_bug = 0;
if (vr_type == 2) {
for (j = 1; j < ch; ++j)
@@ -1339,8 +1339,13 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
}
if (max_output > ch_left * vlen) {
- av_log(vc->avctx, AV_LOG_ERROR, "Insufficient output buffer\n");
- return -1;
+ if (max_output <= ch_left * vlen + vr->partition_size*ch_used/ch) {
+ ptns_to_read--;
+ libvorbis_bug = 1;
+ } else {
+ av_log(vc->avctx, AV_LOG_ERROR, "Insufficient output buffer\n");
+ return AVERROR_INVALIDDATA;
+ }
}
av_dlog(NULL, " residue type 0/1/2 decode begin, ch: %d cpc %d \n", ch, c_p_c);
@@ -1466,6 +1471,14 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
voffset += vr->partition_size;
}
}
+ if (libvorbis_bug && !pass) {
+ for (j = 0; j < ch_used; ++j) {
+ if (!do_not_decode[j]) {
+ get_vlc2(&vc->gb, vc->codebooks[vr->classbook].vlc.table,
+ vc->codebooks[vr->classbook].nb_bits, 3);
+ }
+ }
+ }
}
return 0;
}