diff options
Diffstat (limited to 'apps/codecs/libtremor/res012.c')
-rw-r--r-- | apps/codecs/libtremor/res012.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/apps/codecs/libtremor/res012.c b/apps/codecs/libtremor/res012.c index 9abe75aed2..a60cf7fa1e 100644 --- a/apps/codecs/libtremor/res012.c +++ b/apps/codecs/libtremor/res012.c | |||
@@ -114,6 +114,10 @@ static vorbis_info_residue *res0_unpack(vorbis_info *vi,oggpack_buffer *opb){ | |||
114 | 114 | ||
115 | /* verify the phrasebook is not specifying an impossible or | 115 | /* verify the phrasebook is not specifying an impossible or |
116 | inconsistent partitioning scheme. */ | 116 | inconsistent partitioning scheme. */ |
117 | /* modify the phrasebook ranging check from r16327; an early beta | ||
118 | encoder had a bug where it used an oversized phrasebook by | ||
119 | accident. These files should continue to be playable, but don't | ||
120 | allow an exploit */ | ||
117 | { | 121 | { |
118 | int entries = ci->book_param[info->groupbook]->entries; | 122 | int entries = ci->book_param[info->groupbook]->entries; |
119 | int dim = ci->book_param[info->groupbook]->dim; | 123 | int dim = ci->book_param[info->groupbook]->dim; |
@@ -123,7 +127,7 @@ static vorbis_info_residue *res0_unpack(vorbis_info *vi,oggpack_buffer *opb){ | |||
123 | if(partvals > entries) goto errout; | 127 | if(partvals > entries) goto errout; |
124 | dim--; | 128 | dim--; |
125 | } | 129 | } |
126 | if(partvals != entries) goto errout; | 130 | info->partvals = partvals; |
127 | } | 131 | } |
128 | 132 | ||
129 | return(info); | 133 | return(info); |
@@ -220,7 +224,7 @@ static int _01inverse(vorbis_block *vb,vorbis_look_residue *vl, | |||
220 | /* fetch the partition word for each channel */ | 224 | /* fetch the partition word for each channel */ |
221 | for(j=0;j<ch;j++){ | 225 | for(j=0;j<ch;j++){ |
222 | int temp=vorbis_book_decode(look->phrasebook,&vb->opb); | 226 | int temp=vorbis_book_decode(look->phrasebook,&vb->opb); |
223 | if(temp==-1)goto eopbreak; | 227 | if(temp==-1 || temp>=info->partvals)goto eopbreak; |
224 | partword[j][l]=look->decodemap[temp]; | 228 | partword[j][l]=look->decodemap[temp]; |
225 | if(partword[j][l]==NULL)goto errout; | 229 | if(partword[j][l]==NULL)goto errout; |
226 | } | 230 | } |
@@ -305,7 +309,7 @@ int res2_inverse(vorbis_block *vb,vorbis_look_residue *vl, | |||
305 | if(s==0){ | 309 | if(s==0){ |
306 | /* fetch the partition word */ | 310 | /* fetch the partition word */ |
307 | int temp=vorbis_book_decode(look->phrasebook,&vb->opb); | 311 | int temp=vorbis_book_decode(look->phrasebook,&vb->opb); |
308 | if(temp==-1)goto eopbreak; | 312 | if(temp==-1 || temp>info->partvals)goto eopbreak; |
309 | partword[l]=look->decodemap[temp]; | 313 | partword[l]=look->decodemap[temp]; |
310 | if(partword[l]==NULL)goto errout; | 314 | if(partword[l]==NULL)goto errout; |
311 | } | 315 | } |