virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-23 12:43:46 +02:00
Code Issues Releases Activity

Check begin/end/partition_size.

Browse Source 
23_vorbis_sane_partition.patch by chrome.
Also this should be better documented but i prefer not to leave potential
security issues open due to missing documentation.

Originally committed as revision 19996 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
Google Chrome 2009-09-23 13:08:48 +00:00 committed by Michael Niedermayer
parent 310afddfe0
commit 36b7e983a6
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
libavcodec/vorbis_dec.c
View File

@ -37,6 +37,7 @@
#define V_NB_BITS 8
#define V_NB_BITS2 11
#define V_MAX_VLCS (1<<16)
#define V_MAX_PARTITIONS (1<<20)
#ifndef V_DEBUG
#define AV_DEBUG(...)
@ -638,6 +639,14 @@ static int vorbis_parse_setup_hdr_residues(vorbis_context *vc){
res_setup->begin=get_bits(gb, 24);
res_setup->end=get_bits(gb, 24);
res_setup->partition_size=get_bits(gb, 24)+1;
/* Validations to prevent a buffer overflow later. */
if (res_setup->begin>res_setup->end
|| res_setup->end>vc->blocksize[1]/(res_setup->type==2?1:2)
|| (res_setup->end-res_setup->begin)/res_setup->partition_size>V_MAX_PARTITIONS) {
av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %d, %d, %d, %d, %d\n", res_setup->type, res_setup->begin, res_setup->end, res_setup->partition_size, vc->blocksize[1]/2);
return 1;
}
res_setup->classifications=get_bits(gb, 6)+1;
res_setup->classbook=get_bits(gb, 8);
if (res_setup->classbook>=vc->codebook_count) {