vorbisdec: Check bark_map_size.

This fixes potential divisions by zero and out of array accesses. Reported-by: Dale Curtis <dalecurtis@chromium.org> Found-by: inferno@chromium.org Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

vorbisdec: Check bark_map_size.
This fixes potential divisions by zero and out of array accesses. Reported-by: Dale Curtis <dalecurtis@chromium.org> Found-by: inferno@chromium.org Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2c16bf2d · Michael Niedermayer · 7e5c5fa5 · 2c16bf2d
Commit 2c16bf2d authored Jan 10, 2013 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

vorbisdec.c libavcodec/vorbisdec.c +4 -0

No files found.
--- a/libavcodec/vorbisdec.c
+++ b/libavcodec/vorbisdec.c
@@ -597,6 +597,10 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc)
                       "Floor 0 amplitude bits is 0.\n");
                return AVERROR_INVALIDDATA;
            }
+            if (floor_setup->data.t0.bark_map_size == 0) {
+                av_log(vc->avccontext, AV_LOG_ERROR, "Floor 0 bark map size is 0.\n");
+                return AVERROR_INVALIDDATA;
+            }
            floor_setup->data.t0.amplitude_offset = get_bits(gb, 8);
            floor_setup->data.t0.num_books        = get_bits(gb, 4) + 1;