Commit 0025f740 authored by Luca Barbato's avatar Luca Barbato

vorbis: Check the vlc value in setup_classifs

The valid returned values are always at most 11bit.
Remove the previous check that assumed larger values plausible and
use a signed integer to check get_vlc2 return values.

CC: libav-stable@libav.org
parent 62de77ff
...@@ -1311,7 +1311,7 @@ static av_always_inline int setup_classifs(vorbis_context *vc, ...@@ -1311,7 +1311,7 @@ static av_always_inline int setup_classifs(vorbis_context *vc,
int p, j, i; int p, j, i;
unsigned c_p_c = codebook->dimensions; unsigned c_p_c = codebook->dimensions;
unsigned inverse_class = ff_inverse[vr->classifications]; unsigned inverse_class = ff_inverse[vr->classifications];
unsigned temp, temp2; int temp, temp2;
for (p = 0, j = 0; j < ch_used; ++j) { for (p = 0, j = 0; j < ch_used; ++j) {
if (!do_not_decode[j]) { if (!do_not_decode[j]) {
temp = get_vlc2(&vc->gb, codebook->vlc.table, temp = get_vlc2(&vc->gb, codebook->vlc.table,
...@@ -1319,24 +1319,20 @@ static av_always_inline int setup_classifs(vorbis_context *vc, ...@@ -1319,24 +1319,20 @@ static av_always_inline int setup_classifs(vorbis_context *vc,
av_dlog(NULL, "Classword: %u\n", temp); av_dlog(NULL, "Classword: %u\n", temp);
if (temp <= 65536) { if (temp < 0) {
for (i = partition_count + c_p_c - 1; i >= partition_count; i--) { av_log(vc->avctx, AV_LOG_ERROR,
temp2 = (((uint64_t)temp) * inverse_class) >> 32; "Invalid vlc code decoding %d channel.", j);
return AVERROR_INVALIDDATA;
if (i < vr->ptns_to_read)
vr->classifs[p + i] = temp - temp2 * vr->classifications;
temp = temp2;
} }
} else {
for (i = partition_count + c_p_c - 1; i >= partition_count; i--) { for (i = partition_count + c_p_c - 1; i >= partition_count; i--) {
temp2 = temp / vr->classifications; temp2 = (((uint64_t)temp) * inverse_class) >> 32;
if (i < vr->ptns_to_read) if (i < vr->ptns_to_read)
vr->classifs[p + i] = temp - temp2 * vr->classifications; vr->classifs[p + i] = temp - temp2 * vr->classifications;
temp = temp2; temp = temp2;
} }
} }
}
p += vr->ptns_to_read; p += vr->ptns_to_read;
} }
return 0; return 0;
...@@ -1384,7 +1380,9 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, ...@@ -1384,7 +1380,9 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
voffset = vr->begin; voffset = vr->begin;
for (partition_count = 0; partition_count < ptns_to_read;) { // SPEC error for (partition_count = 0; partition_count < ptns_to_read;) { // SPEC error
if (!pass) { if (!pass) {
setup_classifs(vc, vr, do_not_decode, ch_used, partition_count); int ret = setup_classifs(vc, vr, do_not_decode, ch_used, partition_count);
if (ret < 0)
return ret;
} }
for (i = 0; (i < c_p_c) && (partition_count < ptns_to_read); ++i) { for (i = 0; (i < c_p_c) && (partition_count < ptns_to_read); ++i) {
for (j_times_ptns_to_read = 0, j = 0; j < ch_used; ++j) { for (j_times_ptns_to_read = 0, j = 0; j < ch_used; ++j) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment