Additional codebook validity checks.

[Import part of the changes from Tremor (3b65200 2010-10-16)]
author: Nedeljko Babic <nbabic@mips.com> 2012-03-27 14:27:08 +0200
committer: Nedeljko Babic <nbabic@mips.com> 2012-04-03 15:38:03 +0200
commit: feb7319a0415dd4a65a9746d1c0748aa4894c396 (patch)
tree: 617a9557507a29b1445a0832c50f45dfe55a5e87
parent: 80ca6dd0a063a59b974f0e59e451b9394da4ae47 (diff)
download: tremor-feb7319a0415dd4a65a9746d1c0748aa4894c396.tar.gz
1 files changed, 6 insertions, 3 deletions
diff --git a/codebook.c b/codebook.c
index cd9dc26..28071b6 100644
--- a/codebook.c
+++ b/codebook.c
@@ -422,7 +422,7 @@ int vorbis_book_unpack(oggpack_buffer *opb,codebook *s){
     /* ordered */
     {
       long length=oggpack_read(opb,5)+1;
-
+      if(length==0)goto _eofout;
       s->used_entries=s->entries;
       lengthlist=(char *)alloca(sizeof(*lengthlist)*s->entries);
       if (!lengthlist) goto _eofout;
@@ -430,8 +430,11 @@ int vorbis_book_unpack(oggpack_buffer *opb,codebook *s){
       for(i=0;i<s->entries;){
 	long num=oggpack_read(opb,_ilog(s->entries-i));
 	if(num<0)goto _eofout;
-	if(length>32)goto _errout;
-	for(j=0;j<num && i<s->entries;j++,i++)
+	if(length>32 || num>s->entries-i ||
+	   (num>0 && num-1>>(length>>1)>>((length+1)>>1))>0){
+	  goto _errout;
+	}
+	for(j=0;j<num;j++,i++)
 	  lengthlist[i]=(char)length;
 	s->dec_maxlength=length;
 	length++;
author	Nedeljko Babic <nbabic@mips.com>	2012-03-27 14:27:08 +0200
committer	Nedeljko Babic <nbabic@mips.com>	2012-04-03 15:38:03 +0200
commit	feb7319a0415dd4a65a9746d1c0748aa4894c396 (patch)
tree	617a9557507a29b1445a0832c50f45dfe55a5e87
parent	80ca6dd0a063a59b974f0e59e451b9394da4ae47 (diff)
download	tremor-feb7319a0415dd4a65a9746d1c0748aa4894c396.tar.gz