diff options
author | Chris Evans <cevans@chromium.org> | 2012-01-04 21:51:18 +0100 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2012-01-04 22:19:00 +0100 |
commit | 80440c5b1de1b42d51f5073868da654f81d50a68 (patch) | |
tree | 6ca498a8e117692f5ac647fce77c08eb92e06644 /libavcodec | |
parent | 89bd49b25c4cb34f5d871e5292f86662bc858589 (diff) | |
download | ffmpeg-80440c5b1de1b42d51f5073868da654f81d50a68.tar.gz |
vorbis: Fix decoder bug.
BUG=101458
Review URL: http://codereview.chromium.org/8413019
This fixes part of 2011-3895
bigned-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 68226ed9ecef675895dc55a0c58d587014639a0e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
-rw-r--r-- | libavcodec/vorbisdec.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 32ef750ead..a62c968622 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -679,7 +679,7 @@ static int vorbis_parse_setup_hdr_residues(vorbis_context *vc) res_setup->partition_size = get_bits(gb, 24) + 1; /* Validations to prevent a buffer overflow later. */ if (res_setup->begin>res_setup->end || - res_setup->end > vc->avccontext->channels * vc->blocksize[1] / 2 || + res_setup->end > (res_setup->type == 2 ? vc->avccontext->channels : 1) * vc->blocksize[1] / 2 || (res_setup->end-res_setup->begin) / res_setup->partition_size > V_MAX_PARTITIONS) { av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %"PRIu16", %"PRIu32", %"PRIu32", %u, %"PRIu32"\n", @@ -1483,6 +1483,7 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) uint8_t res_chan[255]; unsigned res_num = 0; int retlen = 0; + int ch_left = vc->audio_channels; if (get_bits1(gb)) { av_log(vc->avccontext, AV_LOG_ERROR, "Not a Vorbis I audio packet.\n"); @@ -1557,9 +1558,14 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) } } residue = &vc->residues[mapping->submap_residue[i]]; + if (ch_left < ch) { + av_log(vc->avccontext, AV_LOG_ERROR, "Too many channels in vorbis_floor_decode.\n"); + return -1; + } vorbis_residue_decode(vc, residue, ch, do_not_decode, ch_res_ptr, blocksize/2); ch_res_ptr += ch * blocksize / 2; + ch_left -= ch; } // Inverse coupling |