[xiph-commits] r17553 - trunk/vorbis/lib
tterribe at svn.xiph.org
tterribe at svn.xiph.org
Thu Oct 21 10:54:26 PDT 2010
Author: tterribe
Date: 2010-10-21 10:54:26 -0700 (Thu, 21 Oct 2010)
New Revision: 17553
Modified:
trunk/vorbis/lib/codebook.c
Log:
Port r17539 from Tremor.
Bail out of codebook loading early if the packet doesn't have enough data for
the size of the codebooks it asked for.
Modified: trunk/vorbis/lib/codebook.c
===================================================================
--- trunk/vorbis/lib/codebook.c 2010-10-21 17:33:15 UTC (rev 17552)
+++ trunk/vorbis/lib/codebook.c 2010-10-21 17:54:26 UTC (rev 17553)
@@ -163,12 +163,17 @@
/* codeword ordering.... length ordered or unordered? */
switch((int)oggpack_read(opb,1)){
- case 0:
+ case 0:{
+ long unused;
+ /* allocated but unused entries? */
+ unused=oggpack_read(opb,1);
+ if((s->entries*(unused?1:5)+7)>>3>opb->storage-oggpack_bytes(opb))
+ goto _eofout;
/* unordered */
s->lengthlist=_ogg_malloc(sizeof(*s->lengthlist)*s->entries);
/* allocated but unused entries? */
- if(oggpack_read(opb,1)){
+ if(unused){
/* yes, unused entries */
for(i=0;i<s->entries;i++){
@@ -189,17 +194,23 @@
}
break;
+ }
case 1:
/* ordered */
{
long length=oggpack_read(opb,5)+1;
+ if(length==0)goto _eofout;
s->lengthlist=_ogg_malloc(sizeof(*s->lengthlist)*s->entries);
for(i=0;i<s->entries;){
long num=oggpack_read(opb,_ilog(s->entries-i));
if(num==-1)goto _eofout;
+ if(length>32 || num>s->entries-i ||
+ (num>0 && (num-1)>>(length-1)>1)){
+ goto _errout;
+ }
if(length>32)goto _errout;
- for(j=0;j<num && i<s->entries;j++,i++)
+ for(j=0;j<num;j++,i++)
s->lengthlist[i]=length;
length++;
}
@@ -237,6 +248,8 @@
}
/* quantized values */
+ if((quantvals*s->q_quant+7>>3)>opb->storage-oggpack_bytes(opb))
+ goto _eofout;
s->quantlist=_ogg_malloc(sizeof(*s->quantlist)*quantvals);
for(i=0;i<quantvals;i++)
s->quantlist[i]=oggpack_read(opb,s->q_quant);
More information about the commits
mailing list