From f267587ecea7a98d398d0fb74e1e04668ddf26e3 Mon Sep 17 00:00:00 2001 From: Uoti Urpala Date: Sun, 23 Apr 2006 21:11:31 +0000 Subject: [PATCH] Vorbis specs requires blocksize_1 >= blocksize_0, error if it's false. Predict buffer size from blocksize_1 and number of channels and make sure this does not exceed AVCODEC_MAX_AUDIO_FRAME_SIZE Patch by Uoti Urpala >>> uoti |.| urpala |@| pp1 |.| inet |.| fi <<< Originally committed as revision 5313 to svn://svn.ffmpeg.org/ffmpeg/trunk --- libavcodec/vorbis.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c index 0b4b8e1880..2e9528eb92 100644 --- a/libavcodec/vorbis.c +++ b/libavcodec/vorbis.c @@ -872,10 +872,17 @@ static int vorbis_parse_id_hdr(vorbis_context *vc){ bl1=get_bits(gb, 4); vc->blocksize_0=(1<blocksize_1=(1<13 || bl0<6 || bl1>13 || bl1<6) { + if (bl0>13 || bl0<6 || bl1>13 || bl1<6 || bl1avccontext, AV_LOG_ERROR, " Vorbis id header packet corrupt (illegal blocksize). \n"); return 3; } + // output format int16 + if (vc->blocksize_1/2 * vc->audio_channels * 2 > + AVCODEC_MAX_AUDIO_FRAME_SIZE) { + av_log(vc->avccontext, AV_LOG_ERROR, "Vorbis channel count makes " + "output packets too large.\n"); + return 4; + } vc->swin=vwin[bl0-6]; vc->lwin=vwin[bl1-6];