virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-23 12:43:46 +02:00
Code Issues Releases Activity

Add checks for per-packet mode indexes and per-header mode mapping indexes.

Browse Source 
12_vorbis_mode_indexes.patch by chrome
maybe exploitable

Originally committed as revision 19990 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
Google Chrome 2009-09-23 12:09:33 +00:00 committed by Michael Niedermayer
parent 79a4258141
commit e5b0cfb541
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
libavcodec/vorbis_dec.c
View File

@ -793,7 +793,11 @@ static int vorbis_parse_setup_hdr_modes(vorbis_context *vc) {
mode_setup->blockflag=get_bits1(gb); mode_setup->blockflag=get_bits1(gb);
mode_setup->windowtype=get_bits(gb, 16); //FIXME check mode_setup->windowtype=get_bits(gb, 16); //FIXME check
mode_setup->transformtype=get_bits(gb, 16); //FIXME check mode_setup->transformtype=get_bits(gb, 16); //FIXME check
mode_setup->mapping=get_bits(gb, 8); //FIXME check mode_setup->mapping=get_bits(gb, 8);
if (mode_setup->mapping>=vc->mapping_count) {
av_log(vc->avccontext, AV_LOG_ERROR, "mode mapping value %d out of range. \n", mode_setup->mapping);
return 1;
}
AV_DEBUG(" %d mode: blockflag %d, windowtype %d, transformtype %d, mapping %d \n", i, mode_setup->blockflag, mode_setup->windowtype, mode_setup->transformtype, mode_setup->mapping); AV_DEBUG(" %d mode: blockflag %d, windowtype %d, transformtype %d, mapping %d \n", i, mode_setup->blockflag, mode_setup->windowtype, mode_setup->transformtype, mode_setup->mapping);
} }
@ -1450,6 +1454,10 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) {
} else { } else {
mode_number=get_bits(gb, ilog(vc->mode_count-1)); mode_number=get_bits(gb, ilog(vc->mode_count-1));
} }
if (mode_number>=vc->mode_count) {
av_log(vc->avccontext, AV_LOG_ERROR, "mode number %d out of range.\n", mode_number);
return -1;
}
vc->mode_number=mode_number; vc->mode_number=mode_number;
mapping=&vc->mappings[vc->modes[mode_number].mapping]; mapping=&vc->mappings[vc->modes[mode_number].mapping];