From 329e816ed7903cf078c52aecd32a3be3b5dabbee Mon Sep 17 00:00:00 2001
From: Frank Barchard <fbarchard@google.com>
Date: Sun, 13 Feb 2011 21:38:45 +0100
Subject: [PATCH] Check rangebits to avoid a possible crash. Fixes issue 2548
 (and Chrome issue 68115 and unknown CERT issues).

Originally committed as revision 26365 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 13184036a6b1b1d4b61c91118c0896e9ad4634c3)

Addresses: CVE-2011-0480

Conflicts:

	libavcodec/vorbis_dec.c
---
 libavcodec/vorbis_dec.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/libavcodec/vorbis_dec.c b/libavcodec/vorbis_dec.c
index 541a406722..5b8b056393 100644
--- a/libavcodec/vorbis_dec.c
+++ b/libavcodec/vorbis_dec.c
@@ -466,6 +466,7 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) {
         if (floor_setup->floor_type==1) {
             uint_fast8_t maximum_class=0;
             uint_fast8_t rangebits;
+            uint_fast32_t rangemax;
             uint_fast16_t floor1_values=2;
 
             floor_setup->decode=vorbis_floor1_decode;
@@ -526,8 +527,15 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) {
 
 
             rangebits=get_bits(gb, 4);
+            rangemax = (1 << rangebits);
+            if (rangemax > vc->blocksize[1] / 2) {
+                av_log(vc->avccontext, AV_LOG_ERROR,
+                       "Floor value is too large for blocksize: %d (%d)\n",
+                       rangemax, vc->blocksize[1] / 2);
+                return -1;
+            }
             floor_setup->data.t1.list[0].x = 0;
-            floor_setup->data.t1.list[1].x = (1<<rangebits);
+            floor_setup->data.t1.list[1].x = rangemax;
 
             for(j=0;j<floor_setup->data.t1.partitions;++j) {
                 for(k=0;k<floor_setup->data.t1.class_dimensions[floor_setup->data.t1.partition_class[j]];++k,++floor1_values) {