[xiph-commits] r11149 - experimental/derf/theora-exp/lib

Mon Apr 17 15:32:40 PDT 2006

Author: tterribe
Date: 2006-04-17 15:32:39 -0700 (Mon, 17 Apr 2006)
New Revision: 11149

Modified:
   experimental/derf/theora-exp/lib/dequant.c
Log:
Actually check that decoded base matrix indices are in range.
Thanks to MikeS for finding this and providing a patch.


Modified: experimental/derf/theora-exp/lib/dequant.c
===================================================================

--- experimental/derf/theora-exp/lib/dequant.c	2006-04-17 22:31:19 UTC (rev 11148)
+++ experimental/derf/theora-exp/lib/dequant.c	2006-04-17 22:32:39 UTC (rev 11149)
@@ -100,7 +100,16 @@
     memcpy(qrsizes,sizes,qri*sizeof(qrsizes[0]));
     qranges->base_matrices=qrbms=(th_quant_base *)_ogg_malloc(
      (qri+1)*sizeof(qrbms[0]));
-    do memcpy(qrbms[qri],base_mats[indices[qri]],sizeof(qrbms[qri]));
+    do{
+      bmi=indices[qri];
+      /*Note: The caller is responsible for cleaning up any partially
+         constructed qinfo.*/
+      if(bmi>=nbase_mats){
+        _ogg_free(base_mats);
+        return TH_EBADHEADER;
+      }
+      memcpy(qrbms[qri],base_mats[bmi],sizeof(qrbms[qri]));
+    }
     while(qri-->0);
   }
   _ogg_free(base_mats);

