diff options
| author | Luca Barbato <lu_zero@gentoo.org> | 2015-03-03 11:05:15 +0100 |
|---|---|---|
| committer | Luca Barbato <lu_zero@gentoo.org> | 2015-03-08 17:24:50 +0100 |
| commit | 7136a0bf88f31bb8d40a3bbd251963706fb14578 (patch) | |
| tree | 87cf4b370a2964463bb063bb00e4b603b719e165 | |
| parent | 450b02307cb631f501793b52b98b610c3a54378b (diff) | |
| download | ffmpeg-7136a0bf88f31bb8d40a3bbd251963706fb14578.tar.gz | |
vorbis: Check the vlc value in setup_classifs
The valid returned values are always at most 11bit.
Remove the previous check that assumed larger values plausible and
use a signed integer to check get_vlc2 return values.
CC: libav-stable@libav.org
(cherry picked from commit 0025f7408a0fab2cab4a950064e4784a67463994)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
| -rw-r--r-- | libavcodec/vorbisdec.c | 30 |
1 files changed, 14 insertions, 16 deletions
diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index d7fec98c6e..1ce9e26417 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1308,7 +1308,7 @@ static av_always_inline int setup_classifs(vorbis_context *vc, int p, j, i; unsigned c_p_c = vc->codebooks[vr->classbook].dimensions; unsigned inverse_class = ff_inverse[vr->classifications]; - unsigned temp, temp2; + int temp, temp2; for (p = 0, j = 0; j < ch_used; ++j) { if (!do_not_decode[j]) { temp = get_vlc2(&vc->gb, vc->codebooks[vr->classbook].vlc.table, @@ -1316,22 +1316,18 @@ static av_always_inline int setup_classifs(vorbis_context *vc, av_dlog(NULL, "Classword: %u\n", temp); - if (temp <= 65536) { - for (i = partition_count + c_p_c - 1; i >= partition_count; i--) { - temp2 = (((uint64_t)temp) * inverse_class) >> 32; + if (temp < 0) { + av_log(vc->avctx, AV_LOG_ERROR, + "Invalid vlc code decoding %d channel.", j); + return AVERROR_INVALIDDATA; + } - if (i < vr->ptns_to_read) - vr->classifs[p + i] = temp - temp2 * vr->classifications; - temp = temp2; - } - } else { - for (i = partition_count + c_p_c - 1; i >= partition_count; i--) { - temp2 = temp / vr->classifications; + for (i = partition_count + c_p_c - 1; i >= partition_count; i--) { + temp2 = (((uint64_t)temp) * inverse_class) >> 32; - if (i < vr->ptns_to_read) - vr->classifs[p + i] = temp - temp2 * vr->classifications; - temp = temp2; - } + if (i < vr->ptns_to_read) + vr->classifs[p + i] = temp - temp2 * vr->classifications; + temp = temp2; } } p += vr->ptns_to_read; @@ -1381,7 +1377,9 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, voffset = vr->begin; for (partition_count = 0; partition_count < ptns_to_read;) { // SPEC error if (!pass) { - setup_classifs(vc, vr, do_not_decode, ch_used, partition_count); + int ret = setup_classifs(vc, vr, do_not_decode, ch_used, partition_count); + if (ret < 0) + return ret; } for (i = 0; (i < c_p_c) && (partition_count < ptns_to_read); ++i) { for (j_times_ptns_to_read = 0, j = 0; j < ch_used; ++j) { |