Add checks for per-packet mode indexes and per-header mode mapping indexes.

12_vorbis_mode_indexes.patch by chrome maybe exploitable git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19990 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b

Add checks for per-packet mode indexes and per-header mode mapping indexes.
12_vorbis_mode_indexes.patch by chrome maybe exploitable git-svn-id: file:///var/local/repositories/ffmpeg/trunk@19990 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
6d7908b8 · michael · 093a791b · 6d7908b8
Commit 6d7908b8 authored Sep 23, 2009 by michael
Show whitespace changes
Inline Side-by-side

Showing with 9 additions and 1 deletion

libavcodec/vorbis_dec.c libavcodec/vorbis_dec.c +9 -1

No files found.
--- a/libavcodec/vorbis_dec.c
+++ b/libavcodec/vorbis_dec.c
@@ -793,7 +793,11 @@ static int vorbis_parse_setup_hdr_modes(vorbis_context *vc) {
        mode_setup->blockflag=get_bits1(gb);
        mode_setup->windowtype=get_bits(gb, 16); //FIXME check
        mode_setup->transformtype=get_bits(gb, 16); //FIXME check
-        mode_setup->mapping=get_bits(gb, 8); //FIXME check
+        mode_setup->mapping=get_bits(gb, 8);
+        if (mode_setup->mapping>=vc->mapping_count) {
+            av_log(vc->avccontext, AV_LOG_ERROR, "mode mapping value %d out of range. \n", mode_setup->mapping);
+            return 1;
+        }
        AV_DEBUG(" %d mode: blockflag %d, windowtype %d, transformtype %d, mapping %d \n", i, mode_setup->blockflag, mode_setup->windowtype, mode_setup->transformtype, mode_setup->mapping);
    }
@@ -1450,6 +1454,10 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) {
    } else {
        mode_number=get_bits(gb, ilog(vc->mode_count-1));
    }
+    if (mode_number>=vc->mode_count) {
+        av_log(vc->avccontext, AV_LOG_ERROR, "mode number %d out of range.\n", mode_number);
+        return -1;
+    }
    vc->mode_number=mode_number;
    mapping=&vc->mappings[vc->modes[mode_number].mapping];