falkTX
/
FFmpeg
mirror of https://github.com/falkTX/FFmpeg.git
1
0
Fork 0
Code Issues 0 Releases 338 Wiki Activity
Browse Source

Check rangebits to avoid a possible crash. 

Fixes issue 2548 (and Chrome issue 68115 and unknown CERT issues).

Originally committed as revision 26365 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 13184036a6)

Addresses: CVE-2011-0480

Conflicts:

	libavcodec/vorbis_dec.c
tags/n0.5.5
Frank Barchard Reinhard Tartler 15 years ago
parent
d6860fb653
commit
329e816ed7
1 changed files with 9 additions and 1 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +9
    -1
      libavcodec/vorbis_dec.c

+ 9
- 1
libavcodec/vorbis_dec.c View File

@@ -466,6 +466,7 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) {
if (floor_setup->floor_type==1) {
uint_fast8_t maximum_class=0;
uint_fast8_t rangebits;
uint_fast32_t rangemax;
uint_fast16_t floor1_values=2;

floor_setup->decode=vorbis_floor1_decode;
@@ -526,8 +527,15 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) {


rangebits=get_bits(gb, 4);
rangemax = (1 << rangebits);
if (rangemax > vc->blocksize[1] / 2) {
av_log(vc->avccontext, AV_LOG_ERROR,
"Floor value is too large for blocksize: %d (%d)\n",
rangemax, vc->blocksize[1] / 2);
return -1;
}
floor_setup->data.t1.list[0].x = 0;
floor_setup->data.t1.list[1].x = (1<<rangebits);
floor_setup->data.t1.list[1].x = rangemax;

for(j=0;j<floor_setup->data.t1.partitions;++j) {
for(k=0;k<floor_setup->data.t1.class_dimensions[floor_setup->data.t1.partition_class[j]];++k,++floor1_values) {


Write Preview
Loading…
Cancel
Save