[xiph-commits] r16552 - in trunk/vorbis/lib: . modes
xiphmont at svn.xiph.org
xiphmont at svn.xiph.org
Fri Sep 11 19:09:04 PDT 2009
Author: xiphmont
Date: 2009-09-11 19:09:04 -0700 (Fri, 11 Sep 2009)
New Revision: 16552
Modified:
trunk/vorbis/lib/backends.h
trunk/vorbis/lib/modes/residue_44.h
trunk/vorbis/lib/modes/residue_44u.h
trunk/vorbis/lib/res0.c
Log:
Modify fix for Trac #1572; some files from the earliest beta
accidentally used an oversized phrasebook in res decode; allow these
[technically corrept] files to play. The attack fix is still
watertight, the check is simply made in a different way.
Modified: trunk/vorbis/lib/backends.h
===================================================================
--- trunk/vorbis/lib/backends.h 2009-09-09 17:53:13 UTC (rev 16551)
+++ trunk/vorbis/lib/backends.h 2009-09-12 02:09:04 UTC (rev 16552)
@@ -109,6 +109,7 @@
/* first stage (lossless partitioning) */
int grouping; /* group n vectors per partition */
int partitions; /* possible codebooks for a partition */
+ int partvals; /* partitions ^ groupbook dim */
int groupbook; /* huffbook for partitioning */
int secondstages[64]; /* expanded out to pointers in lookup */
int booklist[512]; /* list of second stage books */
Modified: trunk/vorbis/lib/modes/residue_44.h
===================================================================
--- trunk/vorbis/lib/modes/residue_44.h 2009-09-09 17:53:13 UTC (rev 16551)
+++ trunk/vorbis/lib/modes/residue_44.h 2009-09-12 02:09:04 UTC (rev 16552)
@@ -22,7 +22,7 @@
/***** residue backends *********************************************/
static const vorbis_info_residue0 _residue_44_low={
- 0,-1, -1, 9,-1,
+ 0,-1, -1, 9,-1,-1,
/* 0 1 2 3 4 5 6 7 */
{0},
{-1},
@@ -31,7 +31,7 @@
};
static const vorbis_info_residue0 _residue_44_mid={
- 0,-1, -1, 10,-1,
+ 0,-1, -1, 10,-1,-1,
/* 0 1 2 3 4 5 6 7 8 */
{0},
{-1},
@@ -40,7 +40,7 @@
};
static const vorbis_info_residue0 _residue_44_high={
- 0,-1, -1, 10,-1,
+ 0,-1, -1, 10,-1,-1,
/* 0 1 2 3 4 5 6 7 8 */
{0},
{-1},
Modified: trunk/vorbis/lib/modes/residue_44u.h
===================================================================
--- trunk/vorbis/lib/modes/residue_44u.h 2009-09-09 17:53:13 UTC (rev 16551)
+++ trunk/vorbis/lib/modes/residue_44u.h 2009-09-12 02:09:04 UTC (rev 16552)
@@ -23,7 +23,7 @@
static const vorbis_info_residue0 _residue_44_low_un={
- 0,-1, -1, 8,-1,
+ 0,-1, -1, 8,-1,-1,
{0},
{-1},
{ .5, 1.5, 1.5, 2.5, 2.5, 4.5, 28.5},
@@ -31,7 +31,7 @@
};
static const vorbis_info_residue0 _residue_44_mid_un={
- 0,-1, -1, 10,-1,
+ 0,-1, -1, 10,-1,-1,
/* 0 1 2 3 4 5 6 7 8 9 */
{0},
{-1},
@@ -40,7 +40,7 @@
};
static const vorbis_info_residue0 _residue_44_hi_un={
- 0,-1, -1, 10,-1,
+ 0,-1, -1, 10,-1,-1,
/* 0 1 2 3 4 5 6 7 8 9 */
{0},
{-1},
Modified: trunk/vorbis/lib/res0.c
===================================================================
--- trunk/vorbis/lib/res0.c 2009-09-09 17:53:13 UTC (rev 16551)
+++ trunk/vorbis/lib/res0.c 2009-09-12 02:09:04 UTC (rev 16552)
@@ -238,6 +238,10 @@
/* verify the phrasebook is not specifying an impossible or
inconsistent partitioning scheme. */
+ /* modify the phrasebook ranging check from r16327; an early beta
+ encoder had a bug where it used an oversized phrasebook by
+ accident. These files should continue to be playable, but don't
+ allow an exploit */
{
int entries = ci->book_param[info->groupbook]->entries;
int dim = ci->book_param[info->groupbook]->dim;
@@ -247,7 +251,7 @@
if(partvals > entries) goto errout;
dim--;
}
- if(partvals < entries) goto errout;
+ info->partvals = partvals;
}
return(info);
@@ -668,7 +672,7 @@
for(j=0;j<ch;j++){
int temp=vorbis_book_decode(look->phrasebook,&vb->opb);
- if(temp==-1)goto eopbreak;
+ if(temp==-1 || temp>=info->partvals)goto eopbreak;
partword[j][l]=look->decodemap[temp];
if(partword[j][l]==NULL)goto errout;
}
@@ -884,7 +888,7 @@
if(s==0){
/* fetch the partition word */
int temp=vorbis_book_decode(look->phrasebook,&vb->opb);
- if(temp==-1)goto eopbreak;
+ if(temp==-1 || temp>info->partvals)goto eopbreak;
partword[l]=look->decodemap[temp];
if(partword[l]==NULL)goto errout;
}
More information about the commits
mailing list