[FFmpeg-cvslog] r19990 - trunk/libavcodec/vorbis_dec.c
michael
subversion
Wed Sep 23 14:09:33 CEST 2009
Author: michael
Date: Wed Sep 23 14:09:33 2009
New Revision: 19990
Log:
Add checks for per-packet mode indexes and per-header mode mapping indexes.
12_vorbis_mode_indexes.patch by chrome
maybe exploitable
Modified:
trunk/libavcodec/vorbis_dec.c
Modified: trunk/libavcodec/vorbis_dec.c
==============================================================================
--- trunk/libavcodec/vorbis_dec.c Wed Sep 23 14:02:31 2009 (r19989)
+++ trunk/libavcodec/vorbis_dec.c Wed Sep 23 14:09:33 2009 (r19990)
@@ -793,7 +793,11 @@ static int vorbis_parse_setup_hdr_modes(
mode_setup->blockflag=get_bits1(gb);
mode_setup->windowtype=get_bits(gb, 16); //FIXME check
mode_setup->transformtype=get_bits(gb, 16); //FIXME check
- mode_setup->mapping=get_bits(gb, 8); //FIXME check
+ mode_setup->mapping=get_bits(gb, 8);
+ if (mode_setup->mapping>=vc->mapping_count) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "mode mapping value %d out of range. \n", mode_setup->mapping);
+ return 1;
+ }
AV_DEBUG(" %d mode: blockflag %d, windowtype %d, transformtype %d, mapping %d \n", i, mode_setup->blockflag, mode_setup->windowtype, mode_setup->transformtype, mode_setup->mapping);
}
@@ -1450,6 +1454,10 @@ static int vorbis_parse_audio_packet(vor
} else {
mode_number=get_bits(gb, ilog(vc->mode_count-1));
}
+ if (mode_number>=vc->mode_count) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "mode number %d out of range.\n", mode_number);
+ return -1;
+ }
vc->mode_number=mode_number;
mapping=&vc->mappings[vc->modes[mode_number].mapping];
More information about the ffmpeg-cvslog
mailing list