diff options
| author | Frank Barchard <fbarchard@google.com> | 2011-02-13 21:38:45 +0100 |
|---|---|---|
| committer | Reinhard Tartler <siretart@tauware.de> | 2011-02-13 21:41:38 +0100 |
| commit | 329e816ed7903cf078c52aecd32a3be3b5dabbee (patch) | |
| tree | c41ff54000582b29c30c0b9e9fba89e3c6d8d6e8 | |
| parent | d6860fb653ed42a9d35e134f843f03cc049b74f1 (diff) | |
| download | ffmpeg-329e816ed7903cf078c52aecd32a3be3b5dabbee.tar.gz | |
Check rangebits to avoid a possible crash.
Fixes issue 2548 (and Chrome issue 68115 and unknown CERT issues).
Originally committed as revision 26365 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 13184036a6b1b1d4b61c91118c0896e9ad4634c3)
Addresses: CVE-2011-0480
Conflicts:
libavcodec/vorbis_dec.c
| -rw-r--r-- | libavcodec/vorbis_dec.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/libavcodec/vorbis_dec.c b/libavcodec/vorbis_dec.c index 541a406722..5b8b056393 100644 --- a/libavcodec/vorbis_dec.c +++ b/libavcodec/vorbis_dec.c @@ -466,6 +466,7 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) { if (floor_setup->floor_type==1) { uint_fast8_t maximum_class=0; uint_fast8_t rangebits; + uint_fast32_t rangemax; uint_fast16_t floor1_values=2; floor_setup->decode=vorbis_floor1_decode; @@ -526,8 +527,15 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) { rangebits=get_bits(gb, 4); + rangemax = (1 << rangebits); + if (rangemax > vc->blocksize[1] / 2) { + av_log(vc->avccontext, AV_LOG_ERROR, + "Floor value is too large for blocksize: %d (%d)\n", + rangemax, vc->blocksize[1] / 2); + return -1; + } floor_setup->data.t1.list[0].x = 0; - floor_setup->data.t1.list[1].x = (1<<rangebits); + floor_setup->data.t1.list[1].x = rangemax; for(j=0;j<floor_setup->data.t1.partitions;++j) { for(k=0;k<floor_setup->data.t1.class_dimensions[floor_setup->data.t1.partition_class[j]];++k,++floor1_values) { |