diff options
| -rw-r--r-- | apps/codecs/libtremor/backends.h | 1 | ||||
| -rw-r--r-- | apps/codecs/libtremor/res012.c | 10 |
2 files changed, 8 insertions, 3 deletions
diff --git a/apps/codecs/libtremor/backends.h b/apps/codecs/libtremor/backends.h index 29ab935993..0f85c8ec32 100644 --- a/apps/codecs/libtremor/backends.h +++ b/apps/codecs/libtremor/backends.h | |||
| @@ -92,6 +92,7 @@ typedef struct vorbis_info_residue0{ | |||
| 92 | /* first stage (lossless partitioning) */ | 92 | /* first stage (lossless partitioning) */ |
| 93 | int grouping; /* group n vectors per partition */ | 93 | int grouping; /* group n vectors per partition */ |
| 94 | int partitions; /* possible codebooks for a partition */ | 94 | int partitions; /* possible codebooks for a partition */ |
| 95 | int partvals; /* partitions ^ groupbook dim */ | ||
| 95 | int groupbook; /* huffbook for partitioning */ | 96 | int groupbook; /* huffbook for partitioning */ |
| 96 | int secondstages[64]; /* expanded out to pointers in lookup */ | 97 | int secondstages[64]; /* expanded out to pointers in lookup */ |
| 97 | int booklist[256]; /* list of second stage books */ | 98 | int booklist[256]; /* list of second stage books */ |
diff --git a/apps/codecs/libtremor/res012.c b/apps/codecs/libtremor/res012.c index 9abe75aed2..a60cf7fa1e 100644 --- a/apps/codecs/libtremor/res012.c +++ b/apps/codecs/libtremor/res012.c | |||
| @@ -114,6 +114,10 @@ static vorbis_info_residue *res0_unpack(vorbis_info *vi,oggpack_buffer *opb){ | |||
| 114 | 114 | ||
| 115 | /* verify the phrasebook is not specifying an impossible or | 115 | /* verify the phrasebook is not specifying an impossible or |
| 116 | inconsistent partitioning scheme. */ | 116 | inconsistent partitioning scheme. */ |
| 117 | /* modify the phrasebook ranging check from r16327; an early beta | ||
| 118 | encoder had a bug where it used an oversized phrasebook by | ||
| 119 | accident. These files should continue to be playable, but don't | ||
| 120 | allow an exploit */ | ||
| 117 | { | 121 | { |
| 118 | int entries = ci->book_param[info->groupbook]->entries; | 122 | int entries = ci->book_param[info->groupbook]->entries; |
| 119 | int dim = ci->book_param[info->groupbook]->dim; | 123 | int dim = ci->book_param[info->groupbook]->dim; |
| @@ -123,7 +127,7 @@ static vorbis_info_residue *res0_unpack(vorbis_info *vi,oggpack_buffer *opb){ | |||
| 123 | if(partvals > entries) goto errout; | 127 | if(partvals > entries) goto errout; |
| 124 | dim--; | 128 | dim--; |
| 125 | } | 129 | } |
| 126 | if(partvals != entries) goto errout; | 130 | info->partvals = partvals; |
| 127 | } | 131 | } |
| 128 | 132 | ||
| 129 | return(info); | 133 | return(info); |
| @@ -220,7 +224,7 @@ static int _01inverse(vorbis_block *vb,vorbis_look_residue *vl, | |||
| 220 | /* fetch the partition word for each channel */ | 224 | /* fetch the partition word for each channel */ |
| 221 | for(j=0;j<ch;j++){ | 225 | for(j=0;j<ch;j++){ |
| 222 | int temp=vorbis_book_decode(look->phrasebook,&vb->opb); | 226 | int temp=vorbis_book_decode(look->phrasebook,&vb->opb); |
| 223 | if(temp==-1)goto eopbreak; | 227 | if(temp==-1 || temp>=info->partvals)goto eopbreak; |
| 224 | partword[j][l]=look->decodemap[temp]; | 228 | partword[j][l]=look->decodemap[temp]; |
| 225 | if(partword[j][l]==NULL)goto errout; | 229 | if(partword[j][l]==NULL)goto errout; |
| 226 | } | 230 | } |
| @@ -305,7 +309,7 @@ int res2_inverse(vorbis_block *vb,vorbis_look_residue *vl, | |||
| 305 | if(s==0){ | 309 | if(s==0){ |
| 306 | /* fetch the partition word */ | 310 | /* fetch the partition word */ |
| 307 | int temp=vorbis_book_decode(look->phrasebook,&vb->opb); | 311 | int temp=vorbis_book_decode(look->phrasebook,&vb->opb); |
| 308 | if(temp==-1)goto eopbreak; | 312 | if(temp==-1 || temp>info->partvals)goto eopbreak; |
| 309 | partword[l]=look->decodemap[temp]; | 313 | partword[l]=look->decodemap[temp]; |
| 310 | if(partword[l]==NULL)goto errout; | 314 | if(partword[l]==NULL)goto errout; |
| 311 | } | 315 | } |