diff options
| author | Monty <xiphmont@xiph.org> | 2012-02-03 20:51:27 +0000 |
|---|---|---|
| committer | Monty <xiphmont@xiph.org> | 2012-02-03 20:51:27 +0000 |
| commit | 4936fd271fcad8b401adb0c735685b4fd0bf273f (patch) | |
| tree | 4dc675c9ca6b0d776e7931a02f7dbb76b70814d4 | |
| parent | 70635b34bb995a534a3485758596fec7ed9bc7fd (diff) | |
| download | libvorbis-git-4936fd271fcad8b401adb0c735685b4fd0bf273f.tar.gz | |
Port r17546 from Tremor; although pieces had made it over to libvorbis, a comprehensive
port and verification was called for. This patch provided some additional floor0
hardening:
floor0 code could potentially use a book where the number of vals it
needed to decode was not an integer number of dims wide. This caused
it to overflow the output vector as the termination condition was in
the outer loop of vorbis_book_decodev_set.
None of the various vorbis_book_decodeXXXX calls internally guard
against this case either, but in every other use the calling code does
properly guard (and avoids putting more checks in the tight inner
decode loop).
For floor0, move the checks into the inner loop as there's little
penalty for doing so.
[an equivalent change was already in libvorbis, but I've
harmonized the code with tremor]
For floor0, move the checks into the inner loop as there's little
penalty for doing so. Add commentary indicating where guarding is
done for each call variant.
svn path=/trunk/vorbis/; revision=18183
| -rw-r--r-- | lib/codebook.c | 11 | ||||
| -rw-r--r-- | lib/floor0.c | 5 |
2 files changed, 10 insertions, 6 deletions
diff --git a/lib/codebook.c b/lib/codebook.c index cdf9e261..a382f96e 100644 --- a/lib/codebook.c +++ b/lib/codebook.c @@ -367,6 +367,7 @@ long vorbis_book_decode(codebook *book, oggpack_buffer *b){ } /* returns 0 on OK or -1 on eof *************************************/ +/* decode vector / dim granularity gaurding is done in the upper layer */ long vorbis_book_decodevs_add(codebook *book,float *a,oggpack_buffer *b,int n){ if(book->used_entries>0){ int step=n/book->dim; @@ -386,6 +387,7 @@ long vorbis_book_decodevs_add(codebook *book,float *a,oggpack_buffer *b,int n){ return(0); } +/* decode vector / dim granularity gaurding is done in the upper layer */ long vorbis_book_decodev_add(codebook *book,float *a,oggpack_buffer *b,int n){ if(book->used_entries>0){ int i,j,entry; @@ -431,6 +433,9 @@ long vorbis_book_decodev_add(codebook *book,float *a,oggpack_buffer *b,int n){ return(0); } +/* unlike the others, we guard against n not being an integer number + of <dim> internally rather than in the upper layer (called only by + floor0) */ long vorbis_book_decodev_set(codebook *book,float *a,oggpack_buffer *b,int n){ if(book->used_entries>0){ int i,j,entry; @@ -440,15 +445,15 @@ long vorbis_book_decodev_set(codebook *book,float *a,oggpack_buffer *b,int n){ entry = decode_packed_entry_number(book,b); if(entry==-1)return(-1); t = book->valuelist+entry*book->dim; - for (j=0;j<book->dim;) + for (j=0;i<n && j<book->dim;){ a[i++]=t[j++]; + } } }else{ int i,j; for(i=0;i<n;){ - for (j=0;j<book->dim;j++) - a[i++]=0.f; + a[i++]=0.f; } } return(0); diff --git a/lib/floor0.c b/lib/floor0.c index c22213b4..d36851ef 100644 --- a/lib/floor0.c +++ b/lib/floor0.c @@ -177,10 +177,9 @@ static void *floor0_inverse1(vorbis_block *vb,vorbis_look_floor *i){ vector */ float *lsp=_vorbis_block_alloc(vb,sizeof(*lsp)*(look->m+b->dim+1)); - for(j=0;j<look->m;j+=b->dim) - if(vorbis_book_decodev_set(b,lsp+j,&vb->opb,b->dim)==-1)goto eop; + if(vorbis_book_decodev_set(b,lsp,&vb->opb,look->m,-24)==-1)goto eop; for(j=0;j<look->m;){ - for(k=0;k<b->dim;k++,j++)lsp[j]+=last; + for(k=0;j<look->m && k<b->dim;k++,j++)lsp[j]+=last; last=lsp[j-1]; } |