[xiph-commits] r16222 - trunk/vorbis/lib
xiphmont at svn.xiph.org
xiphmont at svn.xiph.org
Tue Jul 7 22:37:18 PDT 2009
Author: xiphmont
Date: 2009-07-07 22:37:18 -0700 (Tue, 07 Jul 2009)
New Revision: 16222
Modified:
trunk/vorbis/lib/codebook.c
trunk/vorbis/lib/floor1.c
trunk/vorbis/lib/info.c
trunk/vorbis/lib/mapping0.c
Log:
Commit additional hardening to seyup packet decode; some of the checks are redundant, but possibly a good proof against future changes.
Modified: trunk/vorbis/lib/codebook.c
===================================================================
--- trunk/vorbis/lib/codebook.c 2009-07-08 02:17:57 UTC (rev 16221)
+++ trunk/vorbis/lib/codebook.c 2009-07-08 05:37:18 UTC (rev 16222)
@@ -222,6 +222,7 @@
s->q_delta=oggpack_read(opb,32);
s->q_quant=oggpack_read(opb,4)+1;
s->q_sequencep=oggpack_read(opb,1);
+ if(s->q_sequencep==-1)goto _eofout;
{
int quantvals=0;
Modified: trunk/vorbis/lib/floor1.c
===================================================================
--- trunk/vorbis/lib/floor1.c 2009-07-08 02:17:57 UTC (rev 16221)
+++ trunk/vorbis/lib/floor1.c 2009-07-08 05:37:18 UTC (rev 16222)
@@ -133,6 +133,7 @@
info->partitions=oggpack_read(opb,5); /* only 0 to 31 legal */
for(j=0;j<info->partitions;j++){
info->partitionclass[j]=oggpack_read(opb,4); /* only 0 to 15 legal */
+ if(info->partitionclass[j]<0)goto err_out;
if(maxclass<info->partitionclass[j])maxclass=info->partitionclass[j];
}
@@ -155,6 +156,7 @@
/* read the post list */
info->mult=oggpack_read(opb,2)+1; /* only 1,2,3,4 legal now */
rangebits=oggpack_read(opb,4);
+ if(rangebits<0)goto err_out;
for(j=0,k=0;j<info->partitions;j++){
count+=info->class_dim[info->partitionclass[j]];
Modified: trunk/vorbis/lib/info.c
===================================================================
--- trunk/vorbis/lib/info.c 2009-07-08 02:17:57 UTC (rev 16221)
+++ trunk/vorbis/lib/info.c 2009-07-08 05:37:18 UTC (rev 16222)
@@ -246,7 +246,7 @@
_v_readstring(opb,vc->vendor,vendorlen);
i=oggpack_read(opb,32);
if(i<0)goto err_out;
- if(4*i+oggpack_bytes(opb)>opb->storage)goto err_out;
+ if(i>((opb->storage-oggpack_bytes(opb))>>2))goto err_out;
vc->comments=i;
vc->user_comments=_ogg_calloc(vc->comments+1,sizeof(*vc->user_comments));
vc->comment_lengths=_ogg_calloc(vc->comments+1, sizeof(*vc->comment_lengths));
@@ -276,7 +276,7 @@
/* codebooks */
ci->books=oggpack_read(opb,8)+1;
- /*ci->book_param=_ogg_calloc(ci->books,sizeof(*ci->book_param));*/
+ if(ci->books<=0)goto err_out;
for(i=0;i<ci->books;i++){
ci->book_param[i]=_ogg_calloc(1,sizeof(*ci->book_param[i]));
if(vorbis_staticbook_unpack(opb,ci->book_param[i]))goto err_out;
@@ -285,6 +285,7 @@
/* time backend settings; hooks are unused */
{
int times=oggpack_read(opb,6)+1;
+ if(times<=0)goto err_out;
for(i=0;i<times;i++){
int test=oggpack_read(opb,16);
if(test<0 || test>=VI_TIMEB)goto err_out;
@@ -293,8 +294,7 @@
/* floor backend settings */
ci->floors=oggpack_read(opb,6)+1;
- /*ci->floor_type=_ogg_malloc(ci->floors*sizeof(*ci->floor_type));*/
- /*ci->floor_param=_ogg_calloc(ci->floors,sizeof(void *));*/
+ if(ci->floors<=0)goto err_out;
for(i=0;i<ci->floors;i++){
ci->floor_type[i]=oggpack_read(opb,16);
if(ci->floor_type[i]<0 || ci->floor_type[i]>=VI_FLOORB)goto err_out;
@@ -304,8 +304,7 @@
/* residue backend settings */
ci->residues=oggpack_read(opb,6)+1;
- /*ci->residue_type=_ogg_malloc(ci->residues*sizeof(*ci->residue_type));*/
- /*ci->residue_param=_ogg_calloc(ci->residues,sizeof(void *));*/
+ if(ci->residues<=0)goto err_out;
for(i=0;i<ci->residues;i++){
ci->residue_type[i]=oggpack_read(opb,16);
if(ci->residue_type[i]<0 || ci->residue_type[i]>=VI_RESB)goto err_out;
@@ -315,8 +314,7 @@
/* map backend settings */
ci->maps=oggpack_read(opb,6)+1;
- /*ci->map_type=_ogg_malloc(ci->maps*sizeof(*ci->map_type));*/
- /*ci->map_param=_ogg_calloc(ci->maps,sizeof(void *));*/
+ if(ci->maps<=0)goto err_out;
for(i=0;i<ci->maps;i++){
ci->map_type[i]=oggpack_read(opb,16);
if(ci->map_type[i]<0 || ci->map_type[i]>=VI_MAPB)goto err_out;
@@ -326,7 +324,7 @@
/* mode settings */
ci->modes=oggpack_read(opb,6)+1;
- /*vi->mode_param=_ogg_calloc(vi->modes,sizeof(void *));*/
+ if(ci->modes<=0)goto err_out;
for(i=0;i<ci->modes;i++){
ci->mode_param[i]=_ogg_calloc(1,sizeof(*ci->mode_param[i]));
ci->mode_param[i]->blockflag=oggpack_read(opb,1);
@@ -337,6 +335,7 @@
if(ci->mode_param[i]->windowtype>=VI_WINDOWB)goto err_out;
if(ci->mode_param[i]->transformtype>=VI_WINDOWB)goto err_out;
if(ci->mode_param[i]->mapping>=ci->maps)goto err_out;
+ if(ci->mode_param[i]->mapping<0)goto err_out;
}
if(oggpack_read(opb,1)!=1)goto err_out; /* top level EOP check */
Modified: trunk/vorbis/lib/mapping0.c
===================================================================
--- trunk/vorbis/lib/mapping0.c 2009-07-08 02:17:57 UTC (rev 16221)
+++ trunk/vorbis/lib/mapping0.c 2009-07-08 05:37:18 UTC (rev 16222)
@@ -100,19 +100,24 @@
/* also responsible for range checking */
static vorbis_info_mapping *mapping0_unpack(vorbis_info *vi,oggpack_buffer *opb){
- int i;
+ int i,b;
vorbis_info_mapping0 *info=_ogg_calloc(1,sizeof(*info));
codec_setup_info *ci=vi->codec_setup;
memset(info,0,sizeof(*info));
- if(oggpack_read(opb,1))
+ b=oggpack_read(opb,1);
+ if(b<0)goto err_out;
+ if(b){
info->submaps=oggpack_read(opb,4)+1;
- else
+ if(info->submaps<=0)goto err_out;
+ }else
info->submaps=1;
- if(oggpack_read(opb,1)){
+ b=oggpack_read(opb,1);
+ if(b<0)goto err_out;
+ if(b){
info->coupling_steps=oggpack_read(opb,8)+1;
-
+ if(info->coupling_steps<=0)goto err_out;
for(i=0;i<info->coupling_steps;i++){
int testM=info->coupling_mag[i]=oggpack_read(opb,ilog(vi->channels));
int testA=info->coupling_ang[i]=oggpack_read(opb,ilog(vi->channels));
@@ -126,20 +131,20 @@
}
- if(oggpack_read(opb,2)>0)goto err_out; /* 2,3:reserved */
+ if(oggpack_read(opb,2)!=0)goto err_out; /* 2,3:reserved */
if(info->submaps>1){
for(i=0;i<vi->channels;i++){
info->chmuxlist[i]=oggpack_read(opb,4);
- if(info->chmuxlist[i]>=info->submaps)goto err_out;
+ if(info->chmuxlist[i]>=info->submaps || info->chmuxlist[i]<0)goto err_out;
}
}
for(i=0;i<info->submaps;i++){
oggpack_read(opb,8); /* time submap unused */
info->floorsubmap[i]=oggpack_read(opb,8);
- if(info->floorsubmap[i]>=ci->floors)goto err_out;
+ if(info->floorsubmap[i]>=ci->floors || info->floorsubmap[i]<0)goto err_out;
info->residuesubmap[i]=oggpack_read(opb,8);
- if(info->residuesubmap[i]>=ci->residues)goto err_out;
+ if(info->residuesubmap[i]>=ci->residues || info->residuesubmap[i]<0)goto err_out;
}
return info;
More information about the commits
mailing list