[xiph-commits] r17539 - trunk/Tremor

tterribe at svn.xiph.org tterribe at svn.xiph.org
Sat Oct 16 14:30:29 PDT 2010 

Author: tterribe
Date: 2010-10-16 14:30:28 -0700 (Sat, 16 Oct 2010)
New Revision: 17539

Modified:
   trunk/Tremor/codebook.c
Log:
Additional codebook validity checks.

Bail out of codebook loading early if the packet doesn't have enough data for
 the size of the codebooks it asked for.
This doesn't in and of itself provide any additional security, but it does make
 peak heap usage on many invalid files smaller.


Modified: trunk/Tremor/codebook.c
===================================================================
--- trunk/Tremor/codebook.c	2010-10-15 02:52:29 UTC (rev 17538)
+++ trunk/Tremor/codebook.c	2010-10-16 21:30:28 UTC (rev 17539)
@@ -41,12 +41,17 @@
 
   /* codeword ordering.... length ordered or unordered? */
   switch((int)oggpack_read(opb,1)){
-  case 0:
+  case 0:{
+    long unused;
+    /* allocated but unused entries? */
+    unused=oggpack_read(opb,1);
+    if((s->entries*(unused?1:5)+7)>>3>opb->storage-oggpack_bytes(opb))
+      goto _eofout;
     /* unordered */
     s->lengthlist=(long *)_ogg_malloc(sizeof(*s->lengthlist)*s->entries);
 
     /* allocated but unused entries? */
-    if(oggpack_read(opb,1)){
+    if(unused){
       /* yes, unused entries */
 
       for(i=0;i<s->entries;i++){
@@ -67,17 +72,22 @@
     }
     
     break;
+  }
   case 1:
     /* ordered */
     {
       long length=oggpack_read(opb,5)+1;
+      if(length==0)goto _eofout;
       s->lengthlist=(long *)_ogg_malloc(sizeof(*s->lengthlist)*s->entries);
 
       for(i=0;i<s->entries;){
 	long num=oggpack_read(opb,_ilog(s->entries-i));
 	if(num==-1)goto _eofout;
-	if(length>32)goto _errout;
-	for(j=0;j<num && i<s->entries;j++,i++)
+	if(length>32 || num>s->entries-i ||
+	   (num>0 && num-1>>(length>>1)>>((length+1)>>1))>0){
+	  goto _errout;
+	}
+	for(j=0;j<num;j++,i++)
 	  s->lengthlist[i]=length;
 	length++;
       }
@@ -115,6 +125,8 @@
       }
       
       /* quantized values */
+      if((quantvals*s->q_quant+7)>>3>opb->storage-oggpack_bytes(opb))
+        goto _eofout;
       s->quantlist=(long *)_ogg_malloc(sizeof(*s->quantlist)*quantvals);
       for(i=0;i<quantvals;i++)
 	s->quantlist[i]=oggpack_read(opb,s->q_quant);

More information about the commits mailing list