diff options
author | Nils Wallménius <nils@rockbox.org> | 2010-12-08 16:48:17 +0000 |
---|---|---|
committer | Nils Wallménius <nils@rockbox.org> | 2010-12-08 16:48:17 +0000 |
commit | f6297c1f3ef0b528fb6969bb065a42193e7a3394 (patch) | |
tree | aab8f9f69046b1274b39a12a34758e16bf67810a /apps/codecs/libtremor | |
parent | 7484fd3b18c7cf0f48f171cca40c29ec762c8310 (diff) | |
download | rockbox-f6297c1f3ef0b528fb6969bb065a42193e7a3394.tar.gz rockbox-f6297c1f3ef0b528fb6969bb065a42193e7a3394.zip |
libtremor: merge upstream revision 17539 and 17540 'Additional codebook validity checks.'
git-svn-id: svn://svn.rockbox.org/rockbox/trunk@28771 a1c6a512-1295-4272-9138-f99709370657
Diffstat (limited to 'apps/codecs/libtremor')
-rw-r--r-- | apps/codecs/libtremor/codebook.c | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/apps/codecs/libtremor/codebook.c b/apps/codecs/libtremor/codebook.c index fd473280b2..e00d648a59 100644 --- a/apps/codecs/libtremor/codebook.c +++ b/apps/codecs/libtremor/codebook.c | |||
@@ -42,12 +42,17 @@ static_codebook *vorbis_staticbook_unpack(oggpack_buffer *opb){ | |||
42 | 42 | ||
43 | /* codeword ordering.... length ordered or unordered? */ | 43 | /* codeword ordering.... length ordered or unordered? */ |
44 | switch((int)oggpack_read(opb,1)){ | 44 | switch((int)oggpack_read(opb,1)){ |
45 | case 0: | 45 | case 0:{ |
46 | long unused; | ||
47 | /* allocated but unused entries? */ | ||
48 | unused=oggpack_read(opb,1); | ||
49 | if((s->entries*(unused?1:5)+7)>>3>opb->storage-oggpack_bytes(opb)) | ||
50 | goto _eofout; | ||
46 | /* unordered */ | 51 | /* unordered */ |
47 | s->lengthlist=(long *)_ogg_malloc(sizeof(*s->lengthlist)*s->entries); | 52 | s->lengthlist=(long *)_ogg_malloc(sizeof(*s->lengthlist)*s->entries); |
48 | 53 | ||
49 | /* allocated but unused entries? */ | 54 | /* allocated but unused entries? */ |
50 | if(oggpack_read(opb,1)){ | 55 | if(unused){ |
51 | /* yes, unused entries */ | 56 | /* yes, unused entries */ |
52 | 57 | ||
53 | for(i=0;i<s->entries;i++){ | 58 | for(i=0;i<s->entries;i++){ |
@@ -68,17 +73,22 @@ static_codebook *vorbis_staticbook_unpack(oggpack_buffer *opb){ | |||
68 | } | 73 | } |
69 | 74 | ||
70 | break; | 75 | break; |
76 | } | ||
71 | case 1: | 77 | case 1: |
72 | /* ordered */ | 78 | /* ordered */ |
73 | { | 79 | { |
74 | long length=oggpack_read(opb,5)+1; | 80 | long length=oggpack_read(opb,5)+1; |
81 | if(length==0)goto _eofout; | ||
75 | s->lengthlist=(long *)_ogg_malloc(sizeof(*s->lengthlist)*s->entries); | 82 | s->lengthlist=(long *)_ogg_malloc(sizeof(*s->lengthlist)*s->entries); |
76 | 83 | ||
77 | for(i=0;i<s->entries;){ | 84 | for(i=0;i<s->entries;){ |
78 | long num=oggpack_read(opb,_ilog(s->entries-i)); | 85 | long num=oggpack_read(opb,_ilog(s->entries-i)); |
79 | if(num==-1)goto _eofout; | 86 | if(num==-1)goto _eofout; |
80 | if(length>32)goto _errout; | 87 | if(length>32 || num>s->entries-i || |
81 | for(j=0;j<num && i<s->entries;j++,i++) | 88 | (num>0 && (num-1)>>(length>>1)>>((length+1)>>1))>0){ |
89 | goto _errout; | ||
90 | } | ||
91 | for(j=0;j<num;j++,i++) | ||
82 | s->lengthlist[i]=length; | 92 | s->lengthlist[i]=length; |
83 | length++; | 93 | length++; |
84 | } | 94 | } |
@@ -116,6 +126,8 @@ static_codebook *vorbis_staticbook_unpack(oggpack_buffer *opb){ | |||
116 | } | 126 | } |
117 | 127 | ||
118 | /* quantized values */ | 128 | /* quantized values */ |
129 | if((quantvals*s->q_quant+7)>>3>opb->storage-oggpack_bytes(opb)) | ||
130 | goto _eofout; | ||
119 | s->quantlist=(long *)_ogg_malloc(sizeof(*s->quantlist)*quantvals); | 131 | s->quantlist=(long *)_ogg_malloc(sizeof(*s->quantlist)*quantvals); |
120 | for(i=0;i<quantvals;i++) | 132 | for(i=0;i<quantvals;i++) |
121 | s->quantlist[i]=oggpack_read(opb,s->q_quant); | 133 | s->quantlist[i]=oggpack_read(opb,s->q_quant); |