From 88015f25dc5c29bf2819bfd8f7d2b46ec20dc204 Mon Sep 17 00:00:00 2001
From: Tim Terriberry <tterribe@xiph.org>
Date: Wed, 13 Oct 2010 23:12:19 +0000
Subject: Fixes for r17514.

Actually allocate the right number of comments, and add an extra check against
 i+1 overflowing (which could happen with a 4 GB comment packet on a 64-bit
 machine... unlikely, but possible).


git-svn-id: https://svn.xiph.org/trunk/Tremor@17515 0101bb08-14d6-0310-b084-bc0e0c8e3800
---
 backends.h            |  3 ++-
 info.c                |  7 ++++---
 iseeking_example.c    |  4 ++--
 ivorbisfile_example.c |  4 ++--
 res012.c              | 13 ++++++++-----
 sharedbook.c          |  1 +
 6 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/backends.h b/backends.h
index 50c1c45..5202421 100644
--- a/backends.h
+++ b/backends.h
@@ -92,9 +92,10 @@ typedef struct vorbis_info_residue0{
   /* first stage (lossless partitioning) */
   int    grouping;         /* group n vectors per partition */
   int    partitions;       /* possible codebooks for a partition */
+  int    partvals;         /* partitions ^ groupbook dim */
   int    groupbook;        /* huffbook for partitioning */
   int    secondstages[64]; /* expanded out to pointers in lookup */
-  int    booklist[256];    /* list of second stage books */
+  int    booklist[512];    /* list of second stage books */
 } vorbis_info_residue0;
 
 /* Mapping backend generic *****************************************/
diff --git a/info.c b/info.c
index f351a48..75e7205 100644
--- a/info.c
+++ b/info.c
@@ -21,6 +21,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <ctype.h>
+#include <limits.h>
 #include <ogg/ogg.h>
 #include "ivorbiscodec.h"
 #include "codec_internal.h"
@@ -194,9 +195,9 @@ static int _vorbis_unpack_comment(vorbis_comment *vc,oggpack_buffer *opb){
   if(vc->vendor==NULL)goto err_out;
   _v_readstring(opb,vc->vendor,vendorlen);
   i=oggpack_read(opb,32);
-  if(i<0||i>(opb->storage-oggpack_bytes(opb))>>2)goto err_out;
-  vc->user_comments=(char **)_ogg_calloc(vc->comments+1,sizeof(*vc->user_comments));
-  vc->comment_lengths=(int *)_ogg_calloc(vc->comments+1, sizeof(*vc->comment_lengths));
+  if(i<0||i>=INT_MAX||i>(opb->storage-oggpack_bytes(opb))>>2)goto err_out;
+  vc->user_comments=(char **)_ogg_calloc(i+1,sizeof(*vc->user_comments));
+  vc->comment_lengths=(int *)_ogg_calloc(i+1, sizeof(*vc->comment_lengths));
   if(vc->user_comments==NULL||vc->comment_lengths==NULL)goto err_out;
   vc->comments=i;
 
diff --git a/iseeking_example.c b/iseeking_example.c
index aaf0d39..533d7bd 100644
--- a/iseeking_example.c
+++ b/iseeking_example.c
@@ -18,8 +18,8 @@
 
 #include <stdlib.h>
 #include <stdio.h>
-#include <vorbis/ivorbiscodec.h>
-#include <vorbis/ivorbisfile.h>
+#include "ivorbiscodec.h"
+#include "ivorbisfile.h"
 
 #ifdef _WIN32 /* We need the following two to set stdin/stdout to binary */
 # include <io.h>
diff --git a/ivorbisfile_example.c b/ivorbisfile_example.c
index 1854fc4..c99cfd2 100644
--- a/ivorbisfile_example.c
+++ b/ivorbisfile_example.c
@@ -21,8 +21,8 @@
 
 #include <stdio.h>
 #include <stdlib.h>
-#include <vorbis/ivorbiscodec.h>
-#include <vorbis/ivorbisfile.h>
+#include "ivorbiscodec.h"
+#include "ivorbisfile.h"
 
 #ifdef _WIN32 /* We need the following two to set stdin/stdout to binary */
 #include <io.h>
diff --git a/res012.c b/res012.c
index 6c1d4e1..38c3707 100644
--- a/res012.c
+++ b/res012.c
@@ -115,6 +115,10 @@ vorbis_info_residue *res0_unpack(vorbis_info *vi,oggpack_buffer *opb){
 
   /* verify the phrasebook is not specifying an impossible or
      inconsistent partitioning scheme. */
+  /* modify the phrasebook ranging check from r16327; an early beta
+     encoder had a bug where it used an oversized phrasebook by
+     accident.  These files should continue to be playable, but don't
+     allow an exploit */
   {
     int entries = ci->book_param[info->groupbook]->entries;
     int dim = ci->book_param[info->groupbook]->dim;
@@ -124,7 +128,7 @@ vorbis_info_residue *res0_unpack(vorbis_info *vi,oggpack_buffer *opb){
       if(partvals > entries) goto errout;
       dim--;
     }
-    if(partvals != entries) goto errout;
+    info->partvals = partvals;
   }
 
   return(info);
@@ -168,8 +172,7 @@ vorbis_look_residue *res0_look(vorbis_dsp_state *vd,vorbis_info_mode *vm,
     }
   }
 
-  look->partvals=look->parts;
-  for(j=1;j<dim;j++)look->partvals*=look->parts;
+  look->partvals=look->phrasebook->entries;
   look->stages=maxstage;
   look->decodemap=(int **)_ogg_malloc(look->partvals*sizeof(*look->decodemap));
   for(j=0;j<look->partvals;j++){
@@ -222,7 +225,7 @@ static int _01inverse(vorbis_block *vb,vorbis_look_residue *vl,
 	  /* fetch the partition word for each channel */
 	  for(j=0;j<ch;j++){
 	    int temp=vorbis_book_decode(look->phrasebook,&vb->opb);
-	    if(temp==-1)goto eopbreak;
+	    if(temp==-1 || temp>=info->partvals)goto eopbreak;
 	    partword[j][l]=look->decodemap[temp];
 	    if(partword[j][l]==NULL)goto errout;
 	  }
@@ -304,7 +307,7 @@ int res2_inverse(vorbis_block *vb,vorbis_look_residue *vl,
 	if(s==0){
 	  /* fetch the partition word */
 	  int temp=vorbis_book_decode(look->phrasebook,&vb->opb);
-	  if(temp==-1)goto eopbreak;
+	  if(temp==-1 || temp>info->partvals)goto eopbreak;
 	  partword[l]=look->decodemap[temp];
 	  if(partword[l]==NULL)goto errout;
 	}
diff --git a/sharedbook.c b/sharedbook.c
index 03c2147..fe49b10 100644
--- a/sharedbook.c
+++ b/sharedbook.c
@@ -129,6 +129,7 @@ ogg_uint32_t *_make_words(long *l,long n,long sparsecount){
      but the above tree-gen code doesn't mark that. */
   if(sparsecount != 1){
     for(i=1;i<33;i++)
+      printf("%2li: 0x%08lX\n", i, marker[i] & (0xffffffffUL>>(32-i)));
       if(marker[i] & (0xffffffffUL>>(32-i))){
        _ogg_free(r);
        return(NULL);
-- 
cgit v1.2.1