diff options
Diffstat (limited to 'apps')
-rw-r--r-- | apps/codecs/libtremor/codebook.c | 1 | ||||
-rw-r--r-- | apps/codecs/libtremor/floor1.c | 2 | ||||
-rw-r--r-- | apps/codecs/libtremor/info.c | 17 | ||||
-rw-r--r-- | apps/codecs/libtremor/mapping0.c | 24 |
4 files changed, 25 insertions, 19 deletions
diff --git a/apps/codecs/libtremor/codebook.c b/apps/codecs/libtremor/codebook.c index f86b762f3c..2b92e216cc 100644 --- a/apps/codecs/libtremor/codebook.c +++ b/apps/codecs/libtremor/codebook.c | |||
@@ -101,6 +101,7 @@ int vorbis_staticbook_unpack(oggpack_buffer *opb,static_codebook *s){ | |||
101 | s->q_delta=oggpack_read(opb,32); | 101 | s->q_delta=oggpack_read(opb,32); |
102 | s->q_quant=oggpack_read(opb,4)+1; | 102 | s->q_quant=oggpack_read(opb,4)+1; |
103 | s->q_sequencep=oggpack_read(opb,1); | 103 | s->q_sequencep=oggpack_read(opb,1); |
104 | if(s->q_sequencep==-1)goto _eofout; | ||
104 | 105 | ||
105 | { | 106 | { |
106 | int quantvals=0; | 107 | int quantvals=0; |
diff --git a/apps/codecs/libtremor/floor1.c b/apps/codecs/libtremor/floor1.c index 98118d7ac9..ae92b23058 100644 --- a/apps/codecs/libtremor/floor1.c +++ b/apps/codecs/libtremor/floor1.c | |||
@@ -80,6 +80,7 @@ static vorbis_info_floor *floor1_unpack (vorbis_info *vi,oggpack_buffer *opb){ | |||
80 | info->partitions=oggpack_read(opb,5); /* only 0 to 31 legal */ | 80 | info->partitions=oggpack_read(opb,5); /* only 0 to 31 legal */ |
81 | for(j=0;j<info->partitions;j++){ | 81 | for(j=0;j<info->partitions;j++){ |
82 | info->partitionclass[j]=oggpack_read(opb,4); /* only 0 to 15 legal */ | 82 | info->partitionclass[j]=oggpack_read(opb,4); /* only 0 to 15 legal */ |
83 | if(info->partitionclass[j]<0)goto err_out; | ||
83 | if(maxclass<info->partitionclass[j])maxclass=info->partitionclass[j]; | 84 | if(maxclass<info->partitionclass[j])maxclass=info->partitionclass[j]; |
84 | } | 85 | } |
85 | 86 | ||
@@ -102,6 +103,7 @@ static vorbis_info_floor *floor1_unpack (vorbis_info *vi,oggpack_buffer *opb){ | |||
102 | /* read the post list */ | 103 | /* read the post list */ |
103 | info->mult=oggpack_read(opb,2)+1; /* only 1,2,3,4 legal now */ | 104 | info->mult=oggpack_read(opb,2)+1; /* only 1,2,3,4 legal now */ |
104 | rangebits=oggpack_read(opb,4); | 105 | rangebits=oggpack_read(opb,4); |
106 | if(rangebits<0)goto err_out; | ||
105 | 107 | ||
106 | for(j=0,k=0;j<info->partitions;j++){ | 108 | for(j=0,k=0;j<info->partitions;j++){ |
107 | count+=info->class_dim[info->partitionclass[j]]; | 109 | count+=info->class_dim[info->partitionclass[j]]; |
diff --git a/apps/codecs/libtremor/info.c b/apps/codecs/libtremor/info.c index 7c9af7ccdb..b819570682 100644 --- a/apps/codecs/libtremor/info.c +++ b/apps/codecs/libtremor/info.c | |||
@@ -166,7 +166,7 @@ static int _vorbis_unpack_books(vorbis_info *vi,oggpack_buffer *opb){ | |||
166 | 166 | ||
167 | /* codebooks */ | 167 | /* codebooks */ |
168 | ci->books=oggpack_read(opb,8)+1; | 168 | ci->books=oggpack_read(opb,8)+1; |
169 | /*ci->book_param=_ogg_calloc(ci->books,sizeof(*ci->book_param));*/ | 169 | if(ci->books<=0)goto err_out; |
170 | for(i=0;i<ci->books;i++){ | 170 | for(i=0;i<ci->books;i++){ |
171 | ci->book_param[i]=(static_codebook *)_ogg_calloc(1,sizeof(*ci->book_param[i])); | 171 | ci->book_param[i]=(static_codebook *)_ogg_calloc(1,sizeof(*ci->book_param[i])); |
172 | if(vorbis_staticbook_unpack(opb,ci->book_param[i]))goto err_out; | 172 | if(vorbis_staticbook_unpack(opb,ci->book_param[i]))goto err_out; |
@@ -174,8 +174,7 @@ static int _vorbis_unpack_books(vorbis_info *vi,oggpack_buffer *opb){ | |||
174 | 174 | ||
175 | /* time backend settings */ | 175 | /* time backend settings */ |
176 | ci->times=oggpack_read(opb,6)+1; | 176 | ci->times=oggpack_read(opb,6)+1; |
177 | /*ci->time_type=_ogg_malloc(ci->times*sizeof(*ci->time_type));*/ | 177 | if(ci->times<=0)goto err_out; |
178 | /*ci->time_param=_ogg_calloc(ci->times,sizeof(void *));*/ | ||
179 | for(i=0;i<ci->times;i++){ | 178 | for(i=0;i<ci->times;i++){ |
180 | ci->time_type[i]=oggpack_read(opb,16); | 179 | ci->time_type[i]=oggpack_read(opb,16); |
181 | if(ci->time_type[i]<0 || ci->time_type[i]>=VI_TIMEB)goto err_out; | 180 | if(ci->time_type[i]<0 || ci->time_type[i]>=VI_TIMEB)goto err_out; |
@@ -186,8 +185,7 @@ static int _vorbis_unpack_books(vorbis_info *vi,oggpack_buffer *opb){ | |||
186 | 185 | ||
187 | /* floor backend settings */ | 186 | /* floor backend settings */ |
188 | ci->floors=oggpack_read(opb,6)+1; | 187 | ci->floors=oggpack_read(opb,6)+1; |
189 | /*ci->floor_type=_ogg_malloc(ci->floors*sizeof(*ci->floor_type));*/ | 188 | if(ci->floors<=0)goto err_out; |
190 | /*ci->floor_param=_ogg_calloc(ci->floors,sizeof(void *));*/ | ||
191 | for(i=0;i<ci->floors;i++){ | 189 | for(i=0;i<ci->floors;i++){ |
192 | ci->floor_type[i]=oggpack_read(opb,16); | 190 | ci->floor_type[i]=oggpack_read(opb,16); |
193 | if(ci->floor_type[i]<0 || ci->floor_type[i]>=VI_FLOORB)goto err_out; | 191 | if(ci->floor_type[i]<0 || ci->floor_type[i]>=VI_FLOORB)goto err_out; |
@@ -197,8 +195,7 @@ static int _vorbis_unpack_books(vorbis_info *vi,oggpack_buffer *opb){ | |||
197 | 195 | ||
198 | /* residue backend settings */ | 196 | /* residue backend settings */ |
199 | ci->residues=oggpack_read(opb,6)+1; | 197 | ci->residues=oggpack_read(opb,6)+1; |
200 | /*ci->residue_type=_ogg_malloc(ci->residues*sizeof(*ci->residue_type));*/ | 198 | if(ci->residues<=0)goto err_out; |
201 | /*ci->residue_param=_ogg_calloc(ci->residues,sizeof(void *));*/ | ||
202 | for(i=0;i<ci->residues;i++){ | 199 | for(i=0;i<ci->residues;i++){ |
203 | ci->residue_type[i]=oggpack_read(opb,16); | 200 | ci->residue_type[i]=oggpack_read(opb,16); |
204 | if(ci->residue_type[i]<0 || ci->residue_type[i]>=VI_RESB)goto err_out; | 201 | if(ci->residue_type[i]<0 || ci->residue_type[i]>=VI_RESB)goto err_out; |
@@ -208,8 +205,7 @@ static int _vorbis_unpack_books(vorbis_info *vi,oggpack_buffer *opb){ | |||
208 | 205 | ||
209 | /* map backend settings */ | 206 | /* map backend settings */ |
210 | ci->maps=oggpack_read(opb,6)+1; | 207 | ci->maps=oggpack_read(opb,6)+1; |
211 | /*ci->map_type=_ogg_malloc(ci->maps*sizeof(*ci->map_type));*/ | 208 | if(ci->maps<=0)goto err_out; |
212 | /*ci->map_param=_ogg_calloc(ci->maps,sizeof(void *));*/ | ||
213 | for(i=0;i<ci->maps;i++){ | 209 | for(i=0;i<ci->maps;i++){ |
214 | ci->map_type[i]=oggpack_read(opb,16); | 210 | ci->map_type[i]=oggpack_read(opb,16); |
215 | if(ci->map_type[i]<0 || ci->map_type[i]>=VI_MAPB)goto err_out; | 211 | if(ci->map_type[i]<0 || ci->map_type[i]>=VI_MAPB)goto err_out; |
@@ -219,7 +215,7 @@ static int _vorbis_unpack_books(vorbis_info *vi,oggpack_buffer *opb){ | |||
219 | 215 | ||
220 | /* mode settings */ | 216 | /* mode settings */ |
221 | ci->modes=oggpack_read(opb,6)+1; | 217 | ci->modes=oggpack_read(opb,6)+1; |
222 | /*vi->mode_param=_ogg_calloc(vi->modes,sizeof(void *));*/ | 218 | if(ci->modes<=0)goto err_out; |
223 | for(i=0;i<ci->modes;i++){ | 219 | for(i=0;i<ci->modes;i++){ |
224 | ci->mode_param[i]=(vorbis_info_mode *)_ogg_calloc(1,sizeof(*ci->mode_param[i])); | 220 | ci->mode_param[i]=(vorbis_info_mode *)_ogg_calloc(1,sizeof(*ci->mode_param[i])); |
225 | ci->mode_param[i]->blockflag=oggpack_read(opb,1); | 221 | ci->mode_param[i]->blockflag=oggpack_read(opb,1); |
@@ -230,6 +226,7 @@ static int _vorbis_unpack_books(vorbis_info *vi,oggpack_buffer *opb){ | |||
230 | if(ci->mode_param[i]->windowtype>=VI_WINDOWB)goto err_out; | 226 | if(ci->mode_param[i]->windowtype>=VI_WINDOWB)goto err_out; |
231 | if(ci->mode_param[i]->transformtype>=VI_WINDOWB)goto err_out; | 227 | if(ci->mode_param[i]->transformtype>=VI_WINDOWB)goto err_out; |
232 | if(ci->mode_param[i]->mapping>=ci->maps)goto err_out; | 228 | if(ci->mode_param[i]->mapping>=ci->maps)goto err_out; |
229 | if(ci->mode_param[i]->mapping<0)goto err_out; | ||
233 | } | 230 | } |
234 | 231 | ||
235 | if(oggpack_read(opb,1)!=1)goto err_out; /* top level EOP check */ | 232 | if(oggpack_read(opb,1)!=1)goto err_out; /* top level EOP check */ |
diff --git a/apps/codecs/libtremor/mapping0.c b/apps/codecs/libtremor/mapping0.c index 27db815f3b..3f082c5d58 100644 --- a/apps/codecs/libtremor/mapping0.c +++ b/apps/codecs/libtremor/mapping0.c | |||
@@ -128,19 +128,24 @@ static int ilog(unsigned int v){ | |||
128 | 128 | ||
129 | /* also responsible for range checking */ | 129 | /* also responsible for range checking */ |
130 | static vorbis_info_mapping *mapping0_unpack(vorbis_info *vi,oggpack_buffer *opb){ | 130 | static vorbis_info_mapping *mapping0_unpack(vorbis_info *vi,oggpack_buffer *opb){ |
131 | int i; | 131 | int i,b; |
132 | vorbis_info_mapping0 *info=(vorbis_info_mapping0 *)_ogg_calloc(1,sizeof(*info)); | 132 | vorbis_info_mapping0 *info=(vorbis_info_mapping0 *)_ogg_calloc(1,sizeof(*info)); |
133 | codec_setup_info *ci=(codec_setup_info *)vi->codec_setup; | 133 | codec_setup_info *ci=(codec_setup_info *)vi->codec_setup; |
134 | memset(info,0,sizeof(*info)); | 134 | memset(info,0,sizeof(*info)); |
135 | 135 | ||
136 | if(oggpack_read(opb,1)) | 136 | b=oggpack_read(opb,1); |
137 | if(b<0)goto err_out; | ||
138 | if(b){ | ||
137 | info->submaps=oggpack_read(opb,4)+1; | 139 | info->submaps=oggpack_read(opb,4)+1; |
138 | else | 140 | if(info->submaps<=0)goto err_out; |
141 | }else | ||
139 | info->submaps=1; | 142 | info->submaps=1; |
140 | 143 | ||
141 | if(oggpack_read(opb,1)){ | 144 | b=oggpack_read(opb,1); |
145 | if(b<0)goto err_out; | ||
146 | if(b){ | ||
142 | info->coupling_steps=oggpack_read(opb,8)+1; | 147 | info->coupling_steps=oggpack_read(opb,8)+1; |
143 | 148 | if(info->coupling_steps<=0)goto err_out; | |
144 | for(i=0;i<info->coupling_steps;i++){ | 149 | for(i=0;i<info->coupling_steps;i++){ |
145 | int testM=info->coupling_mag[i]=oggpack_read(opb,ilog(vi->channels)); | 150 | int testM=info->coupling_mag[i]=oggpack_read(opb,ilog(vi->channels)); |
146 | int testA=info->coupling_ang[i]=oggpack_read(opb,ilog(vi->channels)); | 151 | int testA=info->coupling_ang[i]=oggpack_read(opb,ilog(vi->channels)); |
@@ -154,21 +159,22 @@ static vorbis_info_mapping *mapping0_unpack(vorbis_info *vi,oggpack_buffer *opb) | |||
154 | 159 | ||
155 | } | 160 | } |
156 | 161 | ||
157 | if(oggpack_read(opb,2)>0)goto err_out; /* 2,3:reserved */ | 162 | if(oggpack_read(opb,2)!=0)goto err_out; /* 2,3:reserved */ |
158 | 163 | ||
159 | if(info->submaps>1){ | 164 | if(info->submaps>1){ |
160 | for(i=0;i<vi->channels;i++){ | 165 | for(i=0;i<vi->channels;i++){ |
161 | info->chmuxlist[i]=oggpack_read(opb,4); | 166 | info->chmuxlist[i]=oggpack_read(opb,4); |
162 | if(info->chmuxlist[i]>=info->submaps)goto err_out; | 167 | if(info->chmuxlist[i]>=info->submaps || info->chmuxlist[i]<0)goto err_out; |
163 | } | 168 | } |
164 | } | 169 | } |
165 | for(i=0;i<info->submaps;i++){ | 170 | for(i=0;i<info->submaps;i++){ |
166 | int temp=oggpack_read(opb,8); | 171 | int temp=oggpack_read(opb,8); |
167 | if(temp>=ci->times)goto err_out; | 172 | if(temp>=ci->times)goto err_out; |
168 | info->floorsubmap[i]=oggpack_read(opb,8); | 173 | info->floorsubmap[i]=oggpack_read(opb,8); |
169 | if(info->floorsubmap[i]>=ci->floors)goto err_out; | 174 | if(info->floorsubmap[i]>=ci->floors || info->floorsubmap[i]<0)goto err_out; |
170 | info->residuesubmap[i]=oggpack_read(opb,8); | 175 | info->residuesubmap[i]=oggpack_read(opb,8); |
171 | if(info->residuesubmap[i]>=ci->residues)goto err_out; | 176 | if(info->residuesubmap[i]>=ci->residues || info->residuesubmap[i]<0) |
177 | goto err_out; | ||
172 | } | 178 | } |
173 | 179 | ||
174 | return info; | 180 | return info; |