diff options
| author | Tim Terriberry <tterribe@xiph.org> | 2010-10-13 23:12:19 +0000 |
|---|---|---|
| committer | Tim Terriberry <tterribe@xiph.org> | 2010-10-13 23:12:19 +0000 |
| commit | 88015f25dc5c29bf2819bfd8f7d2b46ec20dc204 (patch) | |
| tree | 2d26702b018fd7cc556a718eaf9e24a976ae581b | |
| parent | 69dfba92c6a0b872273ae79a832d89d6e83a7363 (diff) | |
| download | tremor-88015f25dc5c29bf2819bfd8f7d2b46ec20dc204.tar.gz | |
Fixes for r17514.
Actually allocate the right number of comments, and add an extra check against
i+1 overflowing (which could happen with a 4 GB comment packet on a 64-bit
machine... unlikely, but possible).
git-svn-id: https://svn.xiph.org/trunk/Tremor@17515 0101bb08-14d6-0310-b084-bc0e0c8e3800
| -rw-r--r-- | backends.h | 3 | ||||
| -rw-r--r-- | info.c | 7 | ||||
| -rw-r--r-- | iseeking_example.c | 4 | ||||
| -rw-r--r-- | ivorbisfile_example.c | 4 | ||||
| -rw-r--r-- | res012.c | 13 | ||||
| -rw-r--r-- | sharedbook.c | 1 |
6 files changed, 19 insertions, 13 deletions
@@ -92,9 +92,10 @@ typedef struct vorbis_info_residue0{ /* first stage (lossless partitioning) */ int grouping; /* group n vectors per partition */ int partitions; /* possible codebooks for a partition */ + int partvals; /* partitions ^ groupbook dim */ int groupbook; /* huffbook for partitioning */ int secondstages[64]; /* expanded out to pointers in lookup */ - int booklist[256]; /* list of second stage books */ + int booklist[512]; /* list of second stage books */ } vorbis_info_residue0; /* Mapping backend generic *****************************************/ @@ -21,6 +21,7 @@ #include <stdlib.h> #include <string.h> #include <ctype.h> +#include <limits.h> #include <ogg/ogg.h> #include "ivorbiscodec.h" #include "codec_internal.h" @@ -194,9 +195,9 @@ static int _vorbis_unpack_comment(vorbis_comment *vc,oggpack_buffer *opb){ if(vc->vendor==NULL)goto err_out; _v_readstring(opb,vc->vendor,vendorlen); i=oggpack_read(opb,32); - if(i<0||i>(opb->storage-oggpack_bytes(opb))>>2)goto err_out; - vc->user_comments=(char **)_ogg_calloc(vc->comments+1,sizeof(*vc->user_comments)); - vc->comment_lengths=(int *)_ogg_calloc(vc->comments+1, sizeof(*vc->comment_lengths)); + if(i<0||i>=INT_MAX||i>(opb->storage-oggpack_bytes(opb))>>2)goto err_out; + vc->user_comments=(char **)_ogg_calloc(i+1,sizeof(*vc->user_comments)); + vc->comment_lengths=(int *)_ogg_calloc(i+1, sizeof(*vc->comment_lengths)); if(vc->user_comments==NULL||vc->comment_lengths==NULL)goto err_out; vc->comments=i; diff --git a/iseeking_example.c b/iseeking_example.c index aaf0d39..533d7bd 100644 --- a/iseeking_example.c +++ b/iseeking_example.c @@ -18,8 +18,8 @@ #include <stdlib.h> #include <stdio.h> -#include <vorbis/ivorbiscodec.h> -#include <vorbis/ivorbisfile.h> +#include "ivorbiscodec.h" +#include "ivorbisfile.h" #ifdef _WIN32 /* We need the following two to set stdin/stdout to binary */ # include <io.h> diff --git a/ivorbisfile_example.c b/ivorbisfile_example.c index 1854fc4..c99cfd2 100644 --- a/ivorbisfile_example.c +++ b/ivorbisfile_example.c @@ -21,8 +21,8 @@ #include <stdio.h> #include <stdlib.h> -#include <vorbis/ivorbiscodec.h> -#include <vorbis/ivorbisfile.h> +#include "ivorbiscodec.h" +#include "ivorbisfile.h" #ifdef _WIN32 /* We need the following two to set stdin/stdout to binary */ #include <io.h> @@ -115,6 +115,10 @@ vorbis_info_residue *res0_unpack(vorbis_info *vi,oggpack_buffer *opb){ /* verify the phrasebook is not specifying an impossible or inconsistent partitioning scheme. */ + /* modify the phrasebook ranging check from r16327; an early beta + encoder had a bug where it used an oversized phrasebook by + accident. These files should continue to be playable, but don't + allow an exploit */ { int entries = ci->book_param[info->groupbook]->entries; int dim = ci->book_param[info->groupbook]->dim; @@ -124,7 +128,7 @@ vorbis_info_residue *res0_unpack(vorbis_info *vi,oggpack_buffer *opb){ if(partvals > entries) goto errout; dim--; } - if(partvals != entries) goto errout; + info->partvals = partvals; } return(info); @@ -168,8 +172,7 @@ vorbis_look_residue *res0_look(vorbis_dsp_state *vd,vorbis_info_mode *vm, } } - look->partvals=look->parts; - for(j=1;j<dim;j++)look->partvals*=look->parts; + look->partvals=look->phrasebook->entries; look->stages=maxstage; look->decodemap=(int **)_ogg_malloc(look->partvals*sizeof(*look->decodemap)); for(j=0;j<look->partvals;j++){ @@ -222,7 +225,7 @@ static int _01inverse(vorbis_block *vb,vorbis_look_residue *vl, /* fetch the partition word for each channel */ for(j=0;j<ch;j++){ int temp=vorbis_book_decode(look->phrasebook,&vb->opb); - if(temp==-1)goto eopbreak; + if(temp==-1 || temp>=info->partvals)goto eopbreak; partword[j][l]=look->decodemap[temp]; if(partword[j][l]==NULL)goto errout; } @@ -304,7 +307,7 @@ int res2_inverse(vorbis_block *vb,vorbis_look_residue *vl, if(s==0){ /* fetch the partition word */ int temp=vorbis_book_decode(look->phrasebook,&vb->opb); - if(temp==-1)goto eopbreak; + if(temp==-1 || temp>info->partvals)goto eopbreak; partword[l]=look->decodemap[temp]; if(partword[l]==NULL)goto errout; } diff --git a/sharedbook.c b/sharedbook.c index 03c2147..fe49b10 100644 --- a/sharedbook.c +++ b/sharedbook.c @@ -129,6 +129,7 @@ ogg_uint32_t *_make_words(long *l,long n,long sparsecount){ but the above tree-gen code doesn't mark that. */ if(sparsecount != 1){ for(i=1;i<33;i++) + printf("%2li: 0x%08lX\n", i, marker[i] & (0xffffffffUL>>(32-i))); if(marker[i] & (0xffffffffUL>>(32-i))){ _ogg_free(r); return(NULL); |