[FFmpeg-cvslog] r21729 - in branches/0.5: . libavcodec/vorbis_dec.c

[siretart]

Author: siretart
Date: Tue Feb  9 20:54:42 2010
New Revision: 21729

Log:
Check begin/end/partition_size.
23_vorbis_sane_partition.patch by chrome.
Also this should be better documented but i prefer not to leave potential
security issues open due to missing documentation.

r19996 by michael

Modified:
   branches/0.5/   (props changed)
   branches/0.5/libavcodec/vorbis_dec.c

Modified: branches/0.5/libavcodec/vorbis_dec.c
==============================================================================
--- branches/0.5/libavcodec/vorbis_dec.c	Tue Feb  9 20:52:27 2010	(r21728)
+++ branches/0.5/libavcodec/vorbis_dec.c	Tue Feb  9 20:54:42 2010	(r21729)
@@ -37,6 +37,7 @@
 #define V_NB_BITS 8
 #define V_NB_BITS2 11
 #define V_MAX_VLCS (1<<16)
+#define V_MAX_PARTITIONS (1<<20)
 
 #ifndef V_DEBUG
 #define AV_DEBUG(...)
@@ -643,6 +644,14 @@ static int vorbis_parse_setup_hdr_residu
         res_setup->begin=get_bits(gb, 24);
         res_setup->end=get_bits(gb, 24);
         res_setup->partition_size=get_bits(gb, 24)+1;
+        /* Validations to prevent a buffer overflow later. */
+        if (res_setup->begin>res_setup->end
+        || res_setup->end>vc->blocksize[1]/(res_setup->type==2?1:2)
+        || (res_setup->end-res_setup->begin)/res_setup->partition_size>V_MAX_PARTITIONS) {
+            av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %d, %d, %d, %d, %d\n", res_setup->type, res_setup->begin, res_setup->end, res_setup->partition_size, vc->blocksize[1]/2);
+            return 1;
+        }
+
         res_setup->classifications=get_bits(gb, 6)+1;
         res_setup->classbook=get_bits(gb, 8);
         if (res_setup->classbook>=vc->codebook_count) {