libtremor: merge upstream revision 17525 'Commit additional hardening to setup packet decode.'

git-svn-id: svn://svn.rockbox.org/rockbox/trunk@28762 a1c6a512-1295-4272-9138-f99709370657
author: Nils Wallménius <nils@rockbox.org> 2010-12-07 16:55:36 +0000
committer: Nils Wallménius <nils@rockbox.org> 2010-12-07 16:55:36 +0000
commit: 1930e9f4baee8086195e147b9580ebbf3042b3cc (patch)
tree: 5f8497aa24b0eaa61ff0b6d95c42f694c57459bd
parent: 02f836b1b2ab2fd827be950b1f41cdbed1572c5a (diff)
download: rockbox-1930e9f4baee8086195e147b9580ebbf3042b3cc.tar.gz
rockbox-1930e9f4baee8086195e147b9580ebbf3042b3cc.zip
4 files changed, 25 insertions, 19 deletions
diff --git a/apps/codecs/libtremor/codebook.c b/apps/codecs/libtremor/codebook.c
index f86b762f3c..2b92e216cc 100644
--- a/apps/codecs/libtremor/codebook.c
+++ b/apps/codecs/libtremor/codebook.c
@@ -101,6 +101,7 @@ int vorbis_staticbook_unpack(oggpack_buffer *opb,static_codebook *s){
    s->q_delta=oggpack_read(opb,32);
    s->q_quant=oggpack_read(opb,4)+1;
    s->q_sequencep=oggpack_read(opb,1);
+    if(s->q_sequencep==-1)goto _eofout;
    {
      int quantvals=0;
diff --git a/apps/codecs/libtremor/floor1.c b/apps/codecs/libtremor/floor1.c
index 98118d7ac9..ae92b23058 100644
--- a/apps/codecs/libtremor/floor1.c
+++ b/apps/codecs/libtremor/floor1.c
@@ -80,6 +80,7 @@ static vorbis_info_floor *floor1_unpack (vorbis_info *vi,oggpack_buffer *opb){
  info->partitions=oggpack_read(opb,5); /* only 0 to 31 legal */
  for(j=0;j<info->partitions;j++){
    info->partitionclass[j]=oggpack_read(opb,4); /* only 0 to 15 legal */
+    if(info->partitionclass[j]<0)goto err_out;
    if(maxclass<info->partitionclass[j])maxclass=info->partitionclass[j];
  }
@@ -102,6 +103,7 @@ static vorbis_info_floor *floor1_unpack (vorbis_info *vi,oggpack_buffer *opb){
  /* read the post list */
  info->mult=oggpack_read(opb,2)+1;     /* only 1,2,3,4 legal now */ 
  rangebits=oggpack_read(opb,4);
+  if(rangebits<0)goto err_out;
  for(j=0,k=0;j<info->partitions;j++){
    count+=info->class_dim[info->partitionclass[j]]; 
diff --git a/apps/codecs/libtremor/info.c b/apps/codecs/libtremor/info.c
index 7c9af7ccdb..b819570682 100644
--- a/apps/codecs/libtremor/info.c
+++ b/apps/codecs/libtremor/info.c
@@ -166,7 +166,7 @@ static int _vorbis_unpack_books(vorbis_info *vi,oggpack_buffer *opb){
  /* codebooks */
  ci->books=oggpack_read(opb,8)+1;
-  /*ci->book_param=_ogg_calloc(ci->books,sizeof(*ci->book_param));*/
+  if(ci->books<=0)goto err_out;
  for(i=0;i<ci->books;i++){
    ci->book_param[i]=(static_codebook *)_ogg_calloc(1,sizeof(*ci->book_param[i]));
    if(vorbis_staticbook_unpack(opb,ci->book_param[i]))goto err_out;
@@ -174,8 +174,7 @@ static int _vorbis_unpack_books(vorbis_info *vi,oggpack_buffer *opb){
  /* time backend settings */
  ci->times=oggpack_read(opb,6)+1;
-  /*ci->time_type=_ogg_malloc(ci->times*sizeof(*ci->time_type));*/
+  if(ci->times<=0)goto err_out;
-  /*ci->time_param=_ogg_calloc(ci->times,sizeof(void *));*/
  for(i=0;i<ci->times;i++){
    ci->time_type[i]=oggpack_read(opb,16);
    if(ci->time_type[i]<0 || ci->time_type[i]>=VI_TIMEB)goto err_out;
@@ -186,8 +185,7 @@ static int _vorbis_unpack_books(vorbis_info *vi,oggpack_buffer *opb){
  /* floor backend settings */
  ci->floors=oggpack_read(opb,6)+1;
-  /*ci->floor_type=_ogg_malloc(ci->floors*sizeof(*ci->floor_type));*/
+  if(ci->floors<=0)goto err_out;
-  /*ci->floor_param=_ogg_calloc(ci->floors,sizeof(void *));*/
  for(i=0;i<ci->floors;i++){
    ci->floor_type[i]=oggpack_read(opb,16);
    if(ci->floor_type[i]<0 || ci->floor_type[i]>=VI_FLOORB)goto err_out;
@@ -197,8 +195,7 @@ static int _vorbis_unpack_books(vorbis_info *vi,oggpack_buffer *opb){
  /* residue backend settings */
  ci->residues=oggpack_read(opb,6)+1;
-  /*ci->residue_type=_ogg_malloc(ci->residues*sizeof(*ci->residue_type));*/
+  if(ci->residues<=0)goto err_out;
-  /*ci->residue_param=_ogg_calloc(ci->residues,sizeof(void *));*/
  for(i=0;i<ci->residues;i++){
    ci->residue_type[i]=oggpack_read(opb,16);
    if(ci->residue_type[i]<0 || ci->residue_type[i]>=VI_RESB)goto err_out;
@@ -208,8 +205,7 @@ static int _vorbis_unpack_books(vorbis_info *vi,oggpack_buffer *opb){
  /* map backend settings */
  ci->maps=oggpack_read(opb,6)+1;
-  /*ci->map_type=_ogg_malloc(ci->maps*sizeof(*ci->map_type));*/
+  if(ci->maps<=0)goto err_out;
-  /*ci->map_param=_ogg_calloc(ci->maps,sizeof(void *));*/
  for(i=0;i<ci->maps;i++){
    ci->map_type[i]=oggpack_read(opb,16);
    if(ci->map_type[i]<0 || ci->map_type[i]>=VI_MAPB)goto err_out;
@@ -219,7 +215,7 @@ static int _vorbis_unpack_books(vorbis_info *vi,oggpack_buffer *opb){
  
  /* mode settings */
  ci->modes=oggpack_read(opb,6)+1;
-  /*vi->mode_param=_ogg_calloc(vi->modes,sizeof(void *));*/
+  if(ci->modes<=0)goto err_out;
  for(i=0;i<ci->modes;i++){
    ci->mode_param[i]=(vorbis_info_mode *)_ogg_calloc(1,sizeof(*ci->mode_param[i]));
    ci->mode_param[i]->blockflag=oggpack_read(opb,1);
@@ -230,6 +226,7 @@ static int _vorbis_unpack_books(vorbis_info *vi,oggpack_buffer *opb){
    if(ci->mode_param[i]->windowtype>=VI_WINDOWB)goto err_out;
    if(ci->mode_param[i]->transformtype>=VI_WINDOWB)goto err_out;
    if(ci->mode_param[i]->mapping>=ci->maps)goto err_out;
+    if(ci->mode_param[i]->mapping<0)goto err_out;
  }
  
  if(oggpack_read(opb,1)!=1)goto err_out; /* top level EOP check */
diff --git a/apps/codecs/libtremor/mapping0.c b/apps/codecs/libtremor/mapping0.c
index 27db815f3b..3f082c5d58 100644
--- a/apps/codecs/libtremor/mapping0.c
+++ b/apps/codecs/libtremor/mapping0.c
@@ -128,19 +128,24 @@ static int ilog(unsigned int v){
 /* also responsible for range checking */
 static vorbis_info_mapping *mapping0_unpack(vorbis_info *vi,oggpack_buffer *opb){
-  int i;
+  int i,b;
  vorbis_info_mapping0 *info=(vorbis_info_mapping0 *)_ogg_calloc(1,sizeof(*info));
  codec_setup_info     *ci=(codec_setup_info *)vi->codec_setup;
  memset(info,0,sizeof(*info));
-  if(oggpack_read(opb,1))
+  b=oggpack_read(opb,1);
+  if(b<0)goto err_out;
+  if(b){
    info->submaps=oggpack_read(opb,4)+1;
-  else
+    if(info->submaps<=0)goto err_out;
+  }else
    info->submaps=1;
-  if(oggpack_read(opb,1)){
+  b=oggpack_read(opb,1);
+  if(b<0)goto err_out;
+  if(b){
    info->coupling_steps=oggpack_read(opb,8)+1;
+    if(info->coupling_steps<=0)goto err_out;
    for(i=0;i<info->coupling_steps;i++){
      int testM=info->coupling_mag[i]=oggpack_read(opb,ilog(vi->channels));
      int testA=info->coupling_ang[i]=oggpack_read(opb,ilog(vi->channels));
@@ -154,21 +159,22 @@ static vorbis_info_mapping *mapping0_unpack(vorbis_info *vi,oggpack_buffer *opb)
  }
-  if(oggpack_read(opb,2)>0)goto err_out; /* 2,3:reserved */
+  if(oggpack_read(opb,2)!=0)goto err_out; /* 2,3:reserved */
    
  if(info->submaps>1){
    for(i=0;i<vi->channels;i++){
      info->chmuxlist[i]=oggpack_read(opb,4);
-      if(info->chmuxlist[i]>=info->submaps)goto err_out;
+      if(info->chmuxlist[i]>=info->submaps || info->chmuxlist[i]<0)goto err_out;
    }
  }
  for(i=0;i<info->submaps;i++){
    int temp=oggpack_read(opb,8);
    if(temp>=ci->times)goto err_out;
    info->floorsubmap[i]=oggpack_read(opb,8);
-    if(info->floorsubmap[i]>=ci->floors)goto err_out;
+    if(info->floorsubmap[i]>=ci->floors || info->floorsubmap[i]<0)goto err_out;
    info->residuesubmap[i]=oggpack_read(opb,8);
-    if(info->residuesubmap[i]>=ci->residues)goto err_out;
+    if(info->residuesubmap[i]>=ci->residues || info->residuesubmap[i]<0)
+      goto err_out;
  }
  return info;
author	Nils Wallménius <nils@rockbox.org>	2010-12-07 16:55:36 +0000
committer	Nils Wallménius <nils@rockbox.org>	2010-12-07 16:55:36 +0000
commit	1930e9f4baee8086195e147b9580ebbf3042b3cc (patch)
tree	5f8497aa24b0eaa61ff0b6d95c42f694c57459bd
parent	02f836b1b2ab2fd827be950b1f41cdbed1572c5a (diff)
download	rockbox-1930e9f4baee8086195e147b9580ebbf3042b3cc.tar.gz rockbox-1930e9f4baee8086195e147b9580ebbf3042b3cc.zip

diff --git a/apps/codecs/libtremor/codebook.c b/apps/codecs/libtremor/codebook.c index f86b762f3c..2b92e216cc 100644 --- a/apps/codecs/libtremor/codebook.c +++ b/apps/codecs/libtremor/codebook.c
@@ -101,6 +101,7 @@ int vorbis_staticbook_unpack(oggpack_buffer opb,static_codebook s){
101	s->q_delta=oggpack_read(opb,32);	101	s->q_delta=oggpack_read(opb,32);
102	s->q_quant=oggpack_read(opb,4)+1;	102	s->q_quant=oggpack_read(opb,4)+1;
103	s->q_sequencep=oggpack_read(opb,1);	103	s->q_sequencep=oggpack_read(opb,1);
		104	if(s->q_sequencep==-1)goto _eofout;
104		105
105	{	106	{
106	int quantvals=0;	107	int quantvals=0;


diff --git a/apps/codecs/libtremor/floor1.c b/apps/codecs/libtremor/floor1.c index 98118d7ac9..ae92b23058 100644 --- a/apps/codecs/libtremor/floor1.c +++ b/apps/codecs/libtremor/floor1.c
@@ -80,6 +80,7 @@ static vorbis_info_floor floor1_unpack (vorbis_info vi,oggpack_buffer *opb){
80	info->partitions=oggpack_read(opb,5); /* only 0 to 31 legal */	80	info->partitions=oggpack_read(opb,5); /* only 0 to 31 legal */
81	for(j=0;j<info->partitions;j++){	81	for(j=0;j<info->partitions;j++){
82	info->partitionclass[j]=oggpack_read(opb,4); /* only 0 to 15 legal */	82	info->partitionclass[j]=oggpack_read(opb,4); /* only 0 to 15 legal */
		83	if(info->partitionclass[j]<0)goto err_out;
83	if(maxclass<info->partitionclass[j])maxclass=info->partitionclass[j];	84	if(maxclass<info->partitionclass[j])maxclass=info->partitionclass[j];
84	}	85	}
85		86
@@ -102,6 +103,7 @@ static vorbis_info_floor floor1_unpack (vorbis_info vi,oggpack_buffer *opb){
102	/* read the post list */	103	/* read the post list */
103	info->mult=oggpack_read(opb,2)+1; /* only 1,2,3,4 legal now */	104	info->mult=oggpack_read(opb,2)+1; /* only 1,2,3,4 legal now */
104	rangebits=oggpack_read(opb,4);	105	rangebits=oggpack_read(opb,4);
		106	if(rangebits<0)goto err_out;
105		107
106	for(j=0,k=0;j<info->partitions;j++){	108	for(j=0,k=0;j<info->partitions;j++){
107	count+=info->class_dim[info->partitionclass[j]];	109	count+=info->class_dim[info->partitionclass[j]];


diff --git a/apps/codecs/libtremor/info.c b/apps/codecs/libtremor/info.c index 7c9af7ccdb..b819570682 100644 --- a/apps/codecs/libtremor/info.c +++ b/apps/codecs/libtremor/info.c
@@ -166,7 +166,7 @@ static int _vorbis_unpack_books(vorbis_info vi,oggpack_buffer opb){
166		166
167	/* codebooks */	167	/* codebooks */
168	ci->books=oggpack_read(opb,8)+1;	168	ci->books=oggpack_read(opb,8)+1;
169	/ci->book_param=_ogg_calloc(ci->books,sizeof(ci->book_param));*/	169	if(ci->books<=0)goto err_out;
170	for(i=0;i<ci->books;i++){	170	for(i=0;i<ci->books;i++){
171	ci->book_param[i]=(static_codebook )_ogg_calloc(1,sizeof(ci->book_param[i]));	171	ci->book_param[i]=(static_codebook )_ogg_calloc(1,sizeof(ci->book_param[i]));
172	if(vorbis_staticbook_unpack(opb,ci->book_param[i]))goto err_out;	172	if(vorbis_staticbook_unpack(opb,ci->book_param[i]))goto err_out;
@@ -174,8 +174,7 @@ static int _vorbis_unpack_books(vorbis_info vi,oggpack_buffer opb){
174		174
175	/* time backend settings */	175	/* time backend settings */
176	ci->times=oggpack_read(opb,6)+1;	176	ci->times=oggpack_read(opb,6)+1;
177	/ci->time_type=_ogg_malloc(ci->timessizeof(ci->time_type));/	177	if(ci->times<=0)goto err_out;
178	/ci->time_param=_ogg_calloc(ci->times,sizeof(void ));*/
179	for(i=0;i<ci->times;i++){	178	for(i=0;i<ci->times;i++){
180	ci->time_type[i]=oggpack_read(opb,16);	179	ci->time_type[i]=oggpack_read(opb,16);
181	if(ci->time_type[i]<0 \|\| ci->time_type[i]>=VI_TIMEB)goto err_out;	180	if(ci->time_type[i]<0 \|\| ci->time_type[i]>=VI_TIMEB)goto err_out;
@@ -186,8 +185,7 @@ static int _vorbis_unpack_books(vorbis_info vi,oggpack_buffer opb){
186		185
187	/* floor backend settings */	186	/* floor backend settings */
188	ci->floors=oggpack_read(opb,6)+1;	187	ci->floors=oggpack_read(opb,6)+1;
189	/ci->floor_type=_ogg_malloc(ci->floorssizeof(ci->floor_type));/	188	if(ci->floors<=0)goto err_out;
190	/ci->floor_param=_ogg_calloc(ci->floors,sizeof(void ));*/
191	for(i=0;i<ci->floors;i++){	189	for(i=0;i<ci->floors;i++){
192	ci->floor_type[i]=oggpack_read(opb,16);	190	ci->floor_type[i]=oggpack_read(opb,16);
193	if(ci->floor_type[i]<0 \|\| ci->floor_type[i]>=VI_FLOORB)goto err_out;	191	if(ci->floor_type[i]<0 \|\| ci->floor_type[i]>=VI_FLOORB)goto err_out;
@@ -197,8 +195,7 @@ static int _vorbis_unpack_books(vorbis_info vi,oggpack_buffer opb){
197		195
198	/* residue backend settings */	196	/* residue backend settings */
199	ci->residues=oggpack_read(opb,6)+1;	197	ci->residues=oggpack_read(opb,6)+1;
200	/ci->residue_type=_ogg_malloc(ci->residuessizeof(ci->residue_type));/	198	if(ci->residues<=0)goto err_out;
201	/ci->residue_param=_ogg_calloc(ci->residues,sizeof(void ));*/
202	for(i=0;i<ci->residues;i++){	199	for(i=0;i<ci->residues;i++){
203	ci->residue_type[i]=oggpack_read(opb,16);	200	ci->residue_type[i]=oggpack_read(opb,16);
204	if(ci->residue_type[i]<0 \|\| ci->residue_type[i]>=VI_RESB)goto err_out;	201	if(ci->residue_type[i]<0 \|\| ci->residue_type[i]>=VI_RESB)goto err_out;
@@ -208,8 +205,7 @@ static int _vorbis_unpack_books(vorbis_info vi,oggpack_buffer opb){
208		205
209	/* map backend settings */	206	/* map backend settings */
210	ci->maps=oggpack_read(opb,6)+1;	207	ci->maps=oggpack_read(opb,6)+1;
211	/ci->map_type=_ogg_malloc(ci->mapssizeof(ci->map_type));/	208	if(ci->maps<=0)goto err_out;
212	/ci->map_param=_ogg_calloc(ci->maps,sizeof(void ));*/
213	for(i=0;i<ci->maps;i++){	209	for(i=0;i<ci->maps;i++){
214	ci->map_type[i]=oggpack_read(opb,16);	210	ci->map_type[i]=oggpack_read(opb,16);
215	if(ci->map_type[i]<0 \|\| ci->map_type[i]>=VI_MAPB)goto err_out;	211	if(ci->map_type[i]<0 \|\| ci->map_type[i]>=VI_MAPB)goto err_out;
@@ -219,7 +215,7 @@ static int _vorbis_unpack_books(vorbis_info vi,oggpack_buffer opb){
219		215
220	/* mode settings */	216	/* mode settings */
221	ci->modes=oggpack_read(opb,6)+1;	217	ci->modes=oggpack_read(opb,6)+1;
222	/vi->mode_param=_ogg_calloc(vi->modes,sizeof(void ));*/	218	if(ci->modes<=0)goto err_out;
223	for(i=0;i<ci->modes;i++){	219	for(i=0;i<ci->modes;i++){
224	ci->mode_param[i]=(vorbis_info_mode )_ogg_calloc(1,sizeof(ci->mode_param[i]));	220	ci->mode_param[i]=(vorbis_info_mode )_ogg_calloc(1,sizeof(ci->mode_param[i]));
225	ci->mode_param[i]->blockflag=oggpack_read(opb,1);	221	ci->mode_param[i]->blockflag=oggpack_read(opb,1);
@@ -230,6 +226,7 @@ static int _vorbis_unpack_books(vorbis_info vi,oggpack_buffer opb){
230	if(ci->mode_param[i]->windowtype>=VI_WINDOWB)goto err_out;	226	if(ci->mode_param[i]->windowtype>=VI_WINDOWB)goto err_out;
231	if(ci->mode_param[i]->transformtype>=VI_WINDOWB)goto err_out;	227	if(ci->mode_param[i]->transformtype>=VI_WINDOWB)goto err_out;
232	if(ci->mode_param[i]->mapping>=ci->maps)goto err_out;	228	if(ci->mode_param[i]->mapping>=ci->maps)goto err_out;
		229	if(ci->mode_param[i]->mapping<0)goto err_out;
233	}	230	}
234		231
235	if(oggpack_read(opb,1)!=1)goto err_out; /* top level EOP check */	232	if(oggpack_read(opb,1)!=1)goto err_out; /* top level EOP check */


diff --git a/apps/codecs/libtremor/mapping0.c b/apps/codecs/libtremor/mapping0.c index 27db815f3b..3f082c5d58 100644 --- a/apps/codecs/libtremor/mapping0.c +++ b/apps/codecs/libtremor/mapping0.c
@@ -128,19 +128,24 @@ static int ilog(unsigned int v){
128		128
129	/* also responsible for range checking */	129	/* also responsible for range checking */
130	static vorbis_info_mapping mapping0_unpack(vorbis_info vi,oggpack_buffer *opb){	130	static vorbis_info_mapping mapping0_unpack(vorbis_info vi,oggpack_buffer *opb){
131	int i;	131	int i,b;
132	vorbis_info_mapping0 info=(vorbis_info_mapping0 )_ogg_calloc(1,sizeof(*info));	132	vorbis_info_mapping0 info=(vorbis_info_mapping0 )_ogg_calloc(1,sizeof(*info));
133	codec_setup_info ci=(codec_setup_info )vi->codec_setup;	133	codec_setup_info ci=(codec_setup_info )vi->codec_setup;
134	memset(info,0,sizeof(*info));	134	memset(info,0,sizeof(*info));
135		135
136	if(oggpack_read(opb,1))	136	b=oggpack_read(opb,1);
		137	if(b<0)goto err_out;
		138	if(b){
137	info->submaps=oggpack_read(opb,4)+1;	139	info->submaps=oggpack_read(opb,4)+1;
138	else	140	if(info->submaps<=0)goto err_out;
		141	}else
139	info->submaps=1;	142	info->submaps=1;
140		143
141	if(oggpack_read(opb,1)){	144	b=oggpack_read(opb,1);
		145	if(b<0)goto err_out;
		146	if(b){
142	info->coupling_steps=oggpack_read(opb,8)+1;	147	info->coupling_steps=oggpack_read(opb,8)+1;
143		148	if(info->coupling_steps<=0)goto err_out;
144	for(i=0;i<info->coupling_steps;i++){	149	for(i=0;i<info->coupling_steps;i++){
145	int testM=info->coupling_mag[i]=oggpack_read(opb,ilog(vi->channels));	150	int testM=info->coupling_mag[i]=oggpack_read(opb,ilog(vi->channels));
146	int testA=info->coupling_ang[i]=oggpack_read(opb,ilog(vi->channels));	151	int testA=info->coupling_ang[i]=oggpack_read(opb,ilog(vi->channels));
@@ -154,21 +159,22 @@ static vorbis_info_mapping mapping0_unpack(vorbis_info vi,oggpack_buffer *opb)
154		159
155	}	160	}
156		161
157	if(oggpack_read(opb,2)>0)goto err_out; /* 2,3:reserved */	162	if(oggpack_read(opb,2)!=0)goto err_out; /* 2,3:reserved */
158		163
159	if(info->submaps>1){	164	if(info->submaps>1){
160	for(i=0;i<vi->channels;i++){	165	for(i=0;i<vi->channels;i++){
161	info->chmuxlist[i]=oggpack_read(opb,4);	166	info->chmuxlist[i]=oggpack_read(opb,4);
162	if(info->chmuxlist[i]>=info->submaps)goto err_out;	167	if(info->chmuxlist[i]>=info->submaps \|\| info->chmuxlist[i]<0)goto err_out;
163	}	168	}
164	}	169	}
165	for(i=0;i<info->submaps;i++){	170	for(i=0;i<info->submaps;i++){
166	int temp=oggpack_read(opb,8);	171	int temp=oggpack_read(opb,8);
167	if(temp>=ci->times)goto err_out;	172	if(temp>=ci->times)goto err_out;
168	info->floorsubmap[i]=oggpack_read(opb,8);	173	info->floorsubmap[i]=oggpack_read(opb,8);
169	if(info->floorsubmap[i]>=ci->floors)goto err_out;	174	if(info->floorsubmap[i]>=ci->floors \|\| info->floorsubmap[i]<0)goto err_out;
170	info->residuesubmap[i]=oggpack_read(opb,8);	175	info->residuesubmap[i]=oggpack_read(opb,8);
171	if(info->residuesubmap[i]>=ci->residues)goto err_out;	176	if(info->residuesubmap[i]>=ci->residues \|\| info->residuesubmap[i]<0)
		177	goto err_out;
172	}	178	}
173		179
174	return info;	180	return info;