[xiph-commits] r14598 - in trunk/vorbis: doc doc/xml lib

xiphmont at svn.xiph.org xiphmont at svn.xiph.org
Tue Mar 18 08:39:43 PDT 2008


Author: xiphmont
Date: 2008-03-18 08:39:43 -0700 (Tue, 18 Mar 2008)
New Revision: 14598

Modified:
   trunk/vorbis/doc/Vorbis_I_spec.pdf
   trunk/vorbis/doc/xml/08-residue.xml
   trunk/vorbis/lib/misc.c
   trunk/vorbis/lib/misc.h
   trunk/vorbis/lib/res0.c
Log:
Add code to prevent heap attacks by exploiting dim=bignum and
partition_codewords = partion_values^dim.  partition_codewords is
actually overdetermined; in the case of inconsistency, mark stream
undecodable.



Modified: trunk/vorbis/doc/Vorbis_I_spec.pdf
===================================================================
(Binary files differ)

Modified: trunk/vorbis/doc/xml/08-residue.xml
===================================================================
--- trunk/vorbis/doc/xml/08-residue.xml	2008-03-18 15:02:03 UTC (rev 14597)
+++ trunk/vorbis/doc/xml/08-residue.xml	2008-03-18 15:39:43 UTC (rev 14598)
@@ -199,21 +199,29 @@
 </programlisting>
 
 <para>
-<varname>[residue_begin]</varname> and <varname>[residue_end]</varname> select the specific
-sub-portion of each vector that is actually coded; it implements akin
-to a bandpass where, for coding purposes, the vector effectively
-begins at element <varname>[residue_begin]</varname> and ends at
-<varname>[residue_end]</varname>.  Preceding and following values in the unpacked
-vectors are zeroed.  Note that for residue type 2, these values as
-well as <varname>[residue_partition_size]</varname>apply to the interleaved
-vector, not the individual vectors before interleave.
+<varname>[residue_begin]</varname> and
+<varname>[residue_end]</varname> select the specific sub-portion of
+each vector that is actually coded; it implements akin to a bandpass
+where, for coding purposes, the vector effectively begins at element
+<varname>[residue_begin]</varname> and ends at
+<varname>[residue_end]</varname>.  Preceding and following values in
+the unpacked vectors are zeroed.  Note that for residue type 2, these
+values as well as <varname>[residue_partition_size]</varname>apply to
+the interleaved vector, not the individual vectors before interleave.
 <varname>[residue_partition_size]</varname> is as explained above,
 <varname>[residue_classifications]</varname> is the number of possible
 classification to which a partition can belong and
-<varname>[residue_classbook]</varname> is the codebook number used to code
-classification codewords.  The number of dimensions in book
-<varname>[residue_classbook]</varname> determines how many classification values
-are grouped into a single classification codeword.</para>
+<varname>[residue_classbook]</varname> is the codebook number used to
+code classification codewords.  The number of dimensions in book
+<varname>[residue_classbook]</varname> determines how many
+classification values are grouped into a single classification
+codeword.  Note that the number of entries and dimensions in book
+<varname>[residue_classbook]</varname>, along with
+<varname>[residue_classifications]</varname>, overdetermines to
+possible number of classification codewords.  If
+<varname>[residue_classifications]</varname>^<varname>[residue_classbook]</varname>.dimensions
+does not equal <varname>[residue_classbook]</varname>.entries, the
+bitstream should be regarded to be undecodable. </para>
 
 <para>
 Next we read a bitmap pattern that specifies which partition classes

Modified: trunk/vorbis/lib/misc.c
===================================================================
--- trunk/vorbis/lib/misc.c	2008-03-18 15:02:03 UTC (rev 14597)
+++ trunk/vorbis/lib/misc.c	2008-03-18 15:39:43 UTC (rev 14598)
@@ -190,7 +190,10 @@
   pthread_mutex_unlock(&memlock);
 }
 
-extern void *_VDBG_malloc(void *ptr,long bytes,char *file,long line){
+void *_VDBG_malloc(void *ptr,long bytes,char *file,long line){
+  if(bytes<=0)
+    fprintf(stderr,"bad malloc request (%ld bytes) from %s:%ld\n",bytes,file,line);
+
   bytes+=HEAD_ALIGN;
   if(ptr){
     ptr-=HEAD_ALIGN;
@@ -203,7 +206,7 @@
   return _insert(ptr,bytes,file,line);
 }
 
-extern void _VDBG_free(void *ptr,char *file,long line){
+void _VDBG_free(void *ptr,char *file,long line){
   if(ptr){
     ptr-=HEAD_ALIGN;
     _ripremove(ptr);

Modified: trunk/vorbis/lib/misc.h
===================================================================
--- trunk/vorbis/lib/misc.h	2008-03-18 15:02:03 UTC (rev 14597)
+++ trunk/vorbis/lib/misc.h	2008-03-18 15:39:43 UTC (rev 14598)
@@ -19,6 +19,8 @@
 #define _V_RANDOM_H_
 #include "vorbis/codec.h"
 
+#define DEBUG_MALLOC
+
 extern int analysis_noisy;
 
 extern void *_vorbis_block_alloc(vorbis_block *vb,long bytes);
@@ -29,6 +31,7 @@
 #ifdef DEBUG_MALLOC
 
 #define _VDBG_GRAPHFILE "malloc.m"
+#undef _VDBG_GRAPHFILE
 extern void *_VDBG_malloc(void *ptr,long bytes,char *file,long line); 
 extern void _VDBG_free(void *ptr,char *file,long line); 
 

Modified: trunk/vorbis/lib/res0.c
===================================================================
--- trunk/vorbis/lib/res0.c	2008-03-18 15:02:03 UTC (rev 14597)
+++ trunk/vorbis/lib/res0.c	2008-03-18 15:39:43 UTC (rev 14598)
@@ -223,6 +223,20 @@
   for(j=0;j<acc;j++)
     if(info->booklist[j]>=ci->books)goto errout;
 
+  /* verify the phrasebook is not specifying an impossible or
+     inconsistent partitioning scheme. */
+  {
+    int entries = ci->book_param[info->groupbook]->entries;
+    int dim = ci->book_param[info->groupbook]->dim;
+    int partvals = 1;
+    while(dim>0){
+      partvals *= info->partitions;
+      if(partvals > entries) goto errout;
+      dim--;
+    }
+    if(partvals != entries) goto errout;
+  }
+
   return(info);
  errout:
   res0_free_info(info);
@@ -263,7 +277,7 @@
     }
   }
 
-  look->partvals=rint(pow((float)look->parts,(float)dim));
+  look->partvals=look->phrasebook->entries;
   look->stages=maxstage;
   look->decodemap=_ogg_malloc(look->partvals*sizeof(*look->decodemap));
   for(j=0;j<look->partvals;j++){



More information about the commits mailing list