diff options
| author | Reimar Döffinger <Reimar.Doeffinger@gmx.de> | 2009-07-08 19:39:23 +0000 |
|---|---|---|
| committer | Reimar Döffinger <Reimar.Doeffinger@gmx.de> | 2009-07-08 19:39:23 +0000 |
| commit | 5e039e1b4c0fe25c76faa7ea107db60264edb757 (patch) | |
| tree | b886998fac2998ca1fc41d3db82c0e5d2e6aba3f /libavcodec/vorbis.c | |
| parent | 1de4ba71555fcd2cc3d9bcef004c2c70b475a465 (diff) | |
| download | ffmpeg-5e039e1b4c0fe25c76faa7ea107db60264edb757.tar.gz | |
Add extra validation checks to ff_vorbis_len2vlc.
They should not be necessary, but it seems like a reasonable precaution.
Originally committed as revision 19374 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavcodec/vorbis.c')
| -rw-r--r-- | libavcodec/vorbis.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c index 2148c23665..fd0cafa187 100644 --- a/libavcodec/vorbis.c +++ b/libavcodec/vorbis.c @@ -45,6 +45,9 @@ unsigned int ff_vorbis_nth_root(unsigned int x, unsigned int n) { // x^(1/n) // Generate vlc codes from vorbis huffman code lengths +// the two bits[p] > 32 checks should be redundant, all calling code should +// already ensure that, but since it allows overwriting the stack it seems +// reasonable to check redundantly. int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, uint_fast32_t num) { uint_fast32_t exit_at_level[33]={404,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}; @@ -63,6 +66,7 @@ int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, uint_fast32_t num) { } codes[p]=0; + if (bits[p] > 32) return 1; for(i=0;i<bits[p];++i) { exit_at_level[i+1]=1<<i; } @@ -79,6 +83,7 @@ int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, uint_fast32_t num) { ++p; for(;p<num;++p) { + if (bits[p] > 32) return 1; if (bits[p]==0) continue; // find corresponding exit(node which the tree can grow further from) for(i=bits[p];i>0;--i) { |