[FFmpeg-cvslog] Check rangebits to avoid a possible crash.
Frank Barchard
git
Wed Jan 26 04:48:51 CET 2011
ffmpeg | branch: release/0.6 | Frank Barchard <fbarchard at google.com> | Sat Jan 15 16:19:06 2011 +0000| [5e3d023702587c137ac0a725d601d26a8978a125] | committer: Janne Grunau
Check rangebits to avoid a possible crash.
Fixes issue 2548 (and Chrome issue 68115 and unknown CERT issues).
Patch by Frank Barchard, fbarchard at google
Originally committed as revision 26365 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 13184036a6b1b1d4b61c91118c0896e9ad4634c3)
Signed-off-by: Janne Grunau <janne-ffmpeg at jannau.net>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5e3d023702587c137ac0a725d601d26a8978a125
---
libavcodec/vorbis_dec.c | 10 +++++++++-
1 files changed, 9 insertions(+), 1 deletions(-)
diff --git a/libavcodec/vorbis_dec.c b/libavcodec/vorbis_dec.c
index a0f2342..f8067db 100644
--- a/libavcodec/vorbis_dec.c
+++ b/libavcodec/vorbis_dec.c
@@ -477,6 +477,7 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc)
if (floor_setup->floor_type == 1) {
uint_fast8_t maximum_class = 0;
uint_fast8_t rangebits;
+ uint_fast32_t rangemax;
uint_fast16_t floor1_values = 2;
floor_setup->decode = vorbis_floor1_decode;
@@ -530,8 +531,15 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc)
rangebits = get_bits(gb, 4);
+ rangemax = (1 << rangebits);
+ if (rangemax > vc->blocksize[1] / 2) {
+ av_log(vc->avccontext, AV_LOG_ERROR,
+ "Floor value is too large for blocksize: %d (%d)\n",
+ rangemax, vc->blocksize[1] / 2);
+ return -1;
+ }
floor_setup->data.t1.list[0].x = 0;
- floor_setup->data.t1.list[1].x = (1 << rangebits);
+ floor_setup->data.t1.list[1].x = rangemax;
for (j = 0; j < floor_setup->data.t1.partitions; ++j) {
for (k = 0; k < floor_setup->data.t1.class_dimensions[floor_setup->data.t1.partition_class[j]]; ++k, ++floor1_values) {
More information about the ffmpeg-cvslog
mailing list