RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

vorbis: Fix decoder bug. 

BUG=101458
Review URL: http://codereview.chromium.org/8413019

This fixes part of 2011-3895

bigned-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Chris Evans 2012-01-04 21:51:18 +01:00 committed by Michael Niedermayer
parent 405e99bdfd
commit 68226ed9ec
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
libavcodec/vorbisdec.c
View File

@ -679,7 +679,7 @@ static int vorbis_parse_setup_hdr_residues(vorbis_context *vc)
res_setup->partition_size = get_bits(gb, 24) + 1;
/* Validations to prevent a buffer overflow later. */
if (res_setup->begin>res_setup->end ||
res_setup->end > vc->avccontext->channels * vc->blocksize[1] / 2 ||
res_setup->end > (res_setup->type == 2 ? vc->avccontext->channels : 1) * vc->blocksize[1] / 2 ||
(res_setup->end-res_setup->begin) / res_setup->partition_size > V_MAX_PARTITIONS) {
av_log(vc->avccontext, AV_LOG_ERROR,
"partition out of bounds: type, begin, end, size, blocksize: %"PRIu16", %"PRIu32", %"PRIu32", %u, %"PRIu32"\n",
@ -1483,6 +1483,7 @@ static int vorbis_parse_audio_packet(vorbis_context *vc)
uint8_t res_chan[255];
unsigned res_num = 0;
int retlen = 0;
int ch_left = vc->audio_channels;
if (get_bits1(gb)) {
av_log(vc->avccontext, AV_LOG_ERROR, "Not a Vorbis I audio packet.\n");
@ -1557,9 +1558,14 @@ static int vorbis_parse_audio_packet(vorbis_context *vc)
}
}
residue = &vc->residues[mapping->submap_residue[i]];
if (ch_left < ch) {
av_log(vc->avccontext, AV_LOG_ERROR, "Too many channels in vorbis_floor_decode.\n");
return -1;
}
vorbis_residue_decode(vc, residue, ch, do_not_decode, ch_res_ptr, blocksize/2);
ch_res_ptr += ch * blocksize / 2;
ch_left -= ch;
}
// Inverse coupling