Commit 13184036 authored by Frank Barchard's avatar Frank Barchard Committed by Carl Eugen Hoyos

Check rangebits to avoid a possible crash.

Fixes issue 2548 (and Chrome issue 68115 and unknown CERT issues).

Patch by Frank Barchard, fbarchard at google

Originally committed as revision 26365 to svn://svn.ffmpeg.org/ffmpeg/trunk
parent 03ec42aa
...@@ -483,6 +483,7 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) ...@@ -483,6 +483,7 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc)
if (floor_setup->floor_type == 1) { if (floor_setup->floor_type == 1) {
int maximum_class = -1; int maximum_class = -1;
uint_fast8_t rangebits; uint_fast8_t rangebits;
uint_fast32_t rangemax;
uint_fast16_t floor1_values = 2; uint_fast16_t floor1_values = 2;
floor_setup->decode = vorbis_floor1_decode; floor_setup->decode = vorbis_floor1_decode;
...@@ -534,8 +535,15 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) ...@@ -534,8 +535,15 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc)
rangebits = get_bits(gb, 4); rangebits = get_bits(gb, 4);
rangemax = (1 << rangebits);
if (rangemax > vc->blocksize[1] / 2) {
av_log(vc->avccontext, AV_LOG_ERROR,
"Floor value is too large for blocksize: %d (%d)\n",
rangemax, vc->blocksize[1] / 2);
return -1;
}
floor_setup->data.t1.list[0].x = 0; floor_setup->data.t1.list[0].x = 0;
floor_setup->data.t1.list[1].x = (1 << rangebits); floor_setup->data.t1.list[1].x = rangemax;
for (j = 0; j < floor_setup->data.t1.partitions; ++j) { for (j = 0; j < floor_setup->data.t1.partitions; ++j) {
for (k = 0; k < floor_setup->data.t1.class_dimensions[floor_setup->data.t1.partition_class[j]]; ++k, ++floor1_values) { for (k = 0; k < floor_setup->data.t1.class_dimensions[floor_setup->data.t1.partition_class[j]]; ++k, ++floor1_values) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment