[FFmpeg-cvslog] r21730 - in branches/0.5: . libavcodec/vorbis_dec.c
siretart
subversion
Tue Feb 9 20:59:12 CET 2010
Author: siretart
Date: Tue Feb 9 20:59:11 2010
New Revision: 21730
Log:
Check submap indexes.
10_vorbis_submap_indexes.patch by chrome.
I am applying this even though Reimar had some comments to improve it as it fixes
a serious security issue and I do not want to leave such things unfixed.
backport r20001 by michael
Modified:
branches/0.5/ (props changed)
branches/0.5/libavcodec/vorbis_dec.c
Modified: branches/0.5/libavcodec/vorbis_dec.c
==============================================================================
--- branches/0.5/libavcodec/vorbis_dec.c Tue Feb 9 20:54:42 2010 (r21729)
+++ branches/0.5/libavcodec/vorbis_dec.c Tue Feb 9 20:59:11 2010 (r21730)
@@ -757,9 +757,20 @@ static int vorbis_parse_setup_hdr_mappin
}
for(j=0;j<mapping_setup->submaps;++j) {
+ int bits;
skip_bits(gb, 8); // FIXME check?
- mapping_setup->submap_floor[j]=get_bits(gb, 8);
- mapping_setup->submap_residue[j]=get_bits(gb, 8);
+ bits=get_bits(gb, 8);
+ if (bits>=vc->floor_count) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "submap floor value %d out of range. \n", bits);
+ return -1;
+ }
+ mapping_setup->submap_floor[j]=bits;
+ bits=get_bits(gb, 8);
+ if (bits>=vc->residue_count) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "submap residue value %d out of range. \n", bits);
+ return -1;
+ }
+ mapping_setup->submap_residue[j]=bits;
AV_DEBUG(" %d mapping %d submap : floor %d, residue %d \n", i, j, mapping_setup->submap_floor[j], mapping_setup->submap_residue[j]);
}
More information about the ffmpeg-cvslog
mailing list