Forward port r14598 from libvorbis.

Add code to prevent heap attacks by exploiting dim==bignum and partition_codewords==partion_values^dim. git-svn-id: https://svn.xiph.org/trunk/Tremor@17513 0101bb08-14d6-0310-b084-bc0e0c8e3800
author: Tim Terriberry <tterribe@xiph.org> 2010-10-13 20:22:50 +0000
committer: Tim Terriberry <tterribe@xiph.org> 2010-10-13 20:22:50 +0000
commit: 7e94eea57d11795c88fc88124be43e5cd7af0636 (patch)
tree: cbb93e79032437233efe841756d71517260e3721
parent: 1d1f93e5b8cfbf75bd33ea9e7329090988ad0151 (diff)
download: tremor-7e94eea57d11795c88fc88124be43e5cd7af0636.tar.gz
1 files changed, 14 insertions, 0 deletions
diff --git a/res012.c b/res012.c
index 03e150d..6c1d4e1 100644
--- a/res012.c
+++ b/res012.c
@@ -113,6 +113,20 @@ vorbis_info_residue *res0_unpack(vorbis_info *vi,oggpack_buffer *opb){
   for(j=0;j<acc;j++)
     if(info->booklist[j]>=ci->books)goto errout;
 
+  /* verify the phrasebook is not specifying an impossible or
+     inconsistent partitioning scheme. */
+  {
+    int entries = ci->book_param[info->groupbook]->entries;
+    int dim = ci->book_param[info->groupbook]->dim;
+    int partvals = 1;
+    while(dim>0){
+      partvals *= info->partitions;
+      if(partvals > entries) goto errout;
+      dim--;
+    }
+    if(partvals != entries) goto errout;
+  }
+
   return(info);
  errout:
   res0_free_info(info);
author	Tim Terriberry <tterribe@xiph.org>	2010-10-13 20:22:50 +0000
committer	Tim Terriberry <tterribe@xiph.org>	2010-10-13 20:22:50 +0000
commit	7e94eea57d11795c88fc88124be43e5cd7af0636 (patch)
tree	cbb93e79032437233efe841756d71517260e3721
parent	1d1f93e5b8cfbf75bd33ea9e7329090988ad0151 (diff)
download	tremor-7e94eea57d11795c88fc88124be43e5cd7af0636.tar.gz