diff options
| author | Frank Barchard <fbarchard@google.com> | 2011-01-15 16:19:06 +0000 |
|---|---|---|
| committer | Carl Eugen Hoyos <cehoyos@rainbow.studorg.tuwien.ac.at> | 2011-01-15 16:19:06 +0000 |
| commit | 13184036a6b1b1d4b61c91118c0896e9ad4634c3 (patch) | |
| tree | aac24e4934d05d37cb76e928bccd63c42571e948 /libavcodec | |
| parent | 03ec42aa1ce738761130335e6e6f5ef5d0d1eadf (diff) | |
| download | ffmpeg-13184036a6b1b1d4b61c91118c0896e9ad4634c3.tar.gz | |
Check rangebits to avoid a possible crash.
Fixes issue 2548 (and Chrome issue 68115 and unknown CERT issues).
Patch by Frank Barchard, fbarchard at google
Originally committed as revision 26365 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/vorbis_dec.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/libavcodec/vorbis_dec.c b/libavcodec/vorbis_dec.c index 749e9a9396..c2bde812ef 100644 --- a/libavcodec/vorbis_dec.c +++ b/libavcodec/vorbis_dec.c @@ -483,6 +483,7 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) if (floor_setup->floor_type == 1) { int maximum_class = -1; uint_fast8_t rangebits; + uint_fast32_t rangemax; uint_fast16_t floor1_values = 2; floor_setup->decode = vorbis_floor1_decode; @@ -534,8 +535,15 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) rangebits = get_bits(gb, 4); + rangemax = (1 << rangebits); + if (rangemax > vc->blocksize[1] / 2) { + av_log(vc->avccontext, AV_LOG_ERROR, + "Floor value is too large for blocksize: %d (%d)\n", + rangemax, vc->blocksize[1] / 2); + return -1; + } floor_setup->data.t1.list[0].x = 0; - floor_setup->data.t1.list[1].x = (1 << rangebits); + floor_setup->data.t1.list[1].x = rangemax; for (j = 0; j < floor_setup->data.t1.partitions; ++j) { for (k = 0; k < floor_setup->data.t1.class_dimensions[floor_setup->data.t1.partition_class[j]]; ++k, ++floor1_values) { |