| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Reject multiple headers of the same type.
|
|
|
|
|
| |
Codebooks that are not an exact divisor of the partition size are now
truncated to fit within the partition.
|
|
|
|
|
|
|
| |
Fix crash on corrupt input file (invalid mode index)
git-svn-id: https://svn.xiph.org/trunk/Tremor@19420 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
| |
keyword property on source files
git-svn-id: https://svn.xiph.org/trunk/Tremor@19172 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
| |
git-svn-id: https://svn.xiph.org/trunk/Tremor@19170 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
|
| |
Patch from Brad Smith.
Reviewed by Ron Lee.
Fixes #1943.
git-svn-id: https://svn.xiph.org/trunk/Tremor@18906 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
| |
git-svn-id: https://svn.xiph.org/trunk/Tremor@18153 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
| |
git-svn-id: https://svn.xiph.org/trunk/Tremor@18152 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The use of long caused some functions which now use libogg's
ogg_page_serialno() (which returns an int) to sign-extend the
serialno, while the actual list was stored as ogg_uint32_t's.
This would cause subsequent lookups to fail on platforms with a
64-bit long.
Introduced in r17375 and r16259, but only partially corrected in
r17536.
Fixes #1838.
Thanks to achurch for the report.
git-svn-id: https://svn.xiph.org/trunk/Tremor@18116 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
| |
git-svn-id: https://svn.xiph.org/trunk/Tremor@18099 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
|
|
|
| |
integration with Windows 7).
Modified project files to have Windows CE debug builds compilable and runnable.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17636 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
|
| |
vf->current_serialno matches on return.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17572 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
|
|
| |
A codebook that allows values outside the circular range of the piecewise
floor1 representation can overflow the lookup
Also fix a typo in the comments of the original patch.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17555 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
| |
Mobile binaries.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17551 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
| |
git-svn-id: https://svn.xiph.org/trunk/Tremor@17547 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
needed to decode was not an integer number of dims wide. This caused
it to overflow the output vector as the termination condition was in
the outer loop of vorbis_book_decodev_set.
None of the various vorbis_book_decodeXXXX calls internally guard
against this case either, but in every other use the calling code does
properly guard (and avoids putting more checks in the tight inner
decode loop).
For floor0, move the checks into the inner loop as there's little
penalty for doing so. Add commentary indicating where guarding is
done for each call variant.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17546 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
|
| |
zzuf.00005.361003813.chop.lsp-test4.ogg etc.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17545 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
|
|
| |
zzuf.00005.355571120.chop.rc2-test2.ogg
git-svn-id: https://svn.xiph.org/trunk/Tremor@17544 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
|
|
|
| |
range of the piecewise representation, it can overflow the lookup.
Proper fix here is just a simple clamp.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17543 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
|
|
|
| |
playback of some older (pre-1.0) files removed an [implicit] check
against phrasebook dim being set to zero. Reinstate as an explicit
check.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17542 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
|
|
| |
possible to game the granpos such that the trim code would try to
rewind more samples than were actually available in storage.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17541 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
| |
codebook.c:87: warning: suggest parentheses around '-' inside '>>'
git-svn-id: https://svn.xiph.org/trunk/Tremor@17540 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
|
|
|
| |
Bail out of codebook loading early if the packet doesn't have enough data for
the size of the codebooks it asked for.
This doesn't in and of itself provide any additional security, but it does make
peak heap usage on many invalid files smaller.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17539 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
|
|
|
|
|
| |
Header setup allows the LSP order to be as low as one, but the code in
vorbis_lsp_to_curve() assumed it was at least two.
This wasn't terrible in libvorbis... it would multiply a nonsense (but defined)
value into the output, and nothing more.
In Tremor, it referenced several completely undefined (stack) values, which
could cause out-of-bounds lookup table accesses and crashes.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17538 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
|
| |
Storing a serial number in a long and comparing it to an ogg_uint32_t only
works if you cast the long down, instead of letting C promote it.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17536 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
| |
since the iseeking_example was originally copied over from reference.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17535 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
seeking bisection computation
This is the equivalent of the r15921 fix in reference, but doesn't
require a double cast (for obvious reasons). The technique is
different, the intent is the same (avoid a 64x64= >64 bit overflow)
git-svn-id: https://svn.xiph.org/trunk/Tremor@17534 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
allocate a verification buffer for excessively
large samples.
Also correct sample/time calculation to not overflow 64 bit math, again for
those excessively long samples
git-svn-id: https://svn.xiph.org/trunk/Tremor@17533 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
|
|
|
| |
Unless you're using the autotools build system, <vorbis/...> doesn't exist, and
could pull out-of-date system headers anyway.
ivorbisfile_example had the same problem, but that fix was accidentally
included in r17526.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17532 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
|
| |
r16328 (committed in Tremor as r17526) broke chaining by causing
vorbis_synthesis_init() to fail on a second call.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17531 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
| |
Fix leak when aborting out of static_codebook unpack. Closes #1663.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17530 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
| |
Apply patches from Trac #1638, additional application hardening.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17529 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
| |
Don't allow ordered codebooks with codeword lengths longer than 32 bits.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17528 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
| |
Eliminate possibility of booklist overflow in res0/1/2 unpacking.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17527 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
|
|
| |
ivorbisfile_example.c ignores an error code and plows ahead blindly if
libvorbisidec reports the current bitstream section is bad (OV_EBADLINK).
Retrying after the error crashes libvorbisidec due to the unitialized state.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17526 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
| |
Commit additional hardening to setup packet decode.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17525 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
| |
Fix for https://bugzilla.mozilla.org/show_bug.cgi?id=501279
git-svn-id: https://svn.xiph.org/trunk/Tremor@17524 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
|
|
| |
Second half of fix to https://bugzilla.mozilla.org/show_bug.cgi?id=500254
Sanity check the floor 1 post list to reject files with repeated values that
would result in floor line segments with zero length.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17523 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
|
|
| |
First half of fix for https://bugzilla.mozilla.org/show_bug.cgi?id=500254
Residue code was not checking that its partition books were books with
specified/populated value mappings.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17522 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
| |
git-svn-id: https://svn.xiph.org/trunk/Tremor@17521 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
|
|
|
|
| |
Fix for bug #1456-- the 'bulletproofing' from CVE-2008-1420 inadvertantly
rejects a harmless/legal (if suboptimal) codebook arrangement that was
apparently used in 1.0b1.
Modify fix for Trac #1572; some files from the earliest beta
accidentally used an oversized phrasebook in res decode; allow these.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17520 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
| |
Correct an accidental dereference-before-check in error cleanup in comments.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17519 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
|
| |
The vorbisfile part of this got merged in r16259, but the corresponding changes
to voris_synthesis_init() to actually return a failure code did not.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17518 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
|
|
| |
Actually allocate the right number of comments, and add an extra check against
i+1 overflowing (which could happen with a 4 GB comment packet on a 64-bit
machine... unlikely, but possible).
git-svn-id: https://svn.xiph.org/trunk/Tremor@17517 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
| |
This accidentally contained far more than I meant to commit.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17516 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
|
|
| |
Actually allocate the right number of comments, and add an extra check against
i+1 overflowing (which could happen with a 4 GB comment packet on a 64-bit
machine... unlikely, but possible).
git-svn-id: https://svn.xiph.org/trunk/Tremor@17515 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't try to read past the end of the comment packet if the string lengths are
corrupt.
Correct a potential comment length sanity check overflow.
Commit additional hardening to comment packet decode.
Also add allocation checks, since these can still run us out of address space
if someone actually sends a GB or two of comment data.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17514 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
|
| |
Add code to prevent heap attacks by exploiting dim==bignum and
partition_codewords==partion_values^dim.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17513 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
| |
Correctly handle the nonsensical codebook.dim==0 case.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17512 0101bb08-14d6-0310-b084-bc0e0c8e3800
|
|
|
|
|
|
|
| |
Add checks/rejection for absurdly huge codebooks.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17511 0101bb08-14d6-0310-b084-bc0e0c8e3800
|