diff options
| author | Nils Wallménius <nils@rockbox.org> | 2010-12-08 16:48:17 +0000 |
|---|---|---|
| committer | Nils Wallménius <nils@rockbox.org> | 2010-12-08 16:48:17 +0000 |
| commit | f6297c1f3ef0b528fb6969bb065a42193e7a3394 (patch) | |
| tree | aab8f9f69046b1274b39a12a34758e16bf67810a /apps/codecs | |
| parent | 7484fd3b18c7cf0f48f171cca40c29ec762c8310 (diff) | |
| download | rockbox-f6297c1f3ef0b528fb6969bb065a42193e7a3394.zip rockbox-f6297c1f3ef0b528fb6969bb065a42193e7a3394.tar.gz rockbox-f6297c1f3ef0b528fb6969bb065a42193e7a3394.tar.bz2 rockbox-f6297c1f3ef0b528fb6969bb065a42193e7a3394.tar.xz | |
libtremor: merge upstream revision 17539 and 17540 'Additional codebook validity checks.'
git-svn-id: svn://svn.rockbox.org/rockbox/trunk@28771 a1c6a512-1295-4272-9138-f99709370657
Diffstat (limited to 'apps/codecs')
| -rw-r--r-- | apps/codecs/libtremor/codebook.c | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/apps/codecs/libtremor/codebook.c b/apps/codecs/libtremor/codebook.c index fd47328..e00d648 100644 --- a/apps/codecs/libtremor/codebook.c +++ b/apps/codecs/libtremor/codebook.c @@ -42,12 +42,17 @@ static_codebook *vorbis_staticbook_unpack(oggpack_buffer *opb){ /* codeword ordering.... length ordered or unordered? */ switch((int)oggpack_read(opb,1)){ - case 0: + case 0:{ + long unused; + /* allocated but unused entries? */ + unused=oggpack_read(opb,1); + if((s->entries*(unused?1:5)+7)>>3>opb->storage-oggpack_bytes(opb)) + goto _eofout; /* unordered */ s->lengthlist=(long *)_ogg_malloc(sizeof(*s->lengthlist)*s->entries); /* allocated but unused entries? */ - if(oggpack_read(opb,1)){ + if(unused){ /* yes, unused entries */ for(i=0;i<s->entries;i++){ @@ -68,17 +73,22 @@ static_codebook *vorbis_staticbook_unpack(oggpack_buffer *opb){ } break; + } case 1: /* ordered */ { long length=oggpack_read(opb,5)+1; + if(length==0)goto _eofout; s->lengthlist=(long *)_ogg_malloc(sizeof(*s->lengthlist)*s->entries); for(i=0;i<s->entries;){ long num=oggpack_read(opb,_ilog(s->entries-i)); if(num==-1)goto _eofout; - if(length>32)goto _errout; - for(j=0;j<num && i<s->entries;j++,i++) + if(length>32 || num>s->entries-i || + (num>0 && (num-1)>>(length>>1)>>((length+1)>>1))>0){ + goto _errout; + } + for(j=0;j<num;j++,i++) s->lengthlist[i]=length; length++; } @@ -116,6 +126,8 @@ static_codebook *vorbis_staticbook_unpack(oggpack_buffer *opb){ } /* quantized values */ + if((quantvals*s->q_quant+7)>>3>opb->storage-oggpack_bytes(opb)) + goto _eofout; s->quantlist=(long *)_ogg_malloc(sizeof(*s->quantlist)*quantvals); for(i=0;i<quantvals;i++) s->quantlist[i]=oggpack_read(opb,s->q_quant); |