From bdf8a243fa0d2d33475ab8b7fd61d791dfcea94f Mon Sep 17 00:00:00 2001
From: Nils Wallménius <nils@rockbox.org>
Date: Mon, 6 Dec 2010 16:48:57 +0000
Subject: libtremor: merge upstream revision 17513 'Add code to prevent heap
 attacks by exploiting dim==bignum and
 partition_codewords==partion_values^dim.'

git-svn-id: svn://svn.rockbox.org/rockbox/trunk@28747 a1c6a512-1295-4272-9138-f99709370657
---
 apps/codecs/libtremor/res012.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/apps/codecs/libtremor/res012.c b/apps/codecs/libtremor/res012.c
index a42660a065..9abe75aed2 100644
--- a/apps/codecs/libtremor/res012.c
+++ b/apps/codecs/libtremor/res012.c
@@ -112,6 +112,20 @@ static vorbis_info_residue *res0_unpack(vorbis_info *vi,oggpack_buffer *opb){
   for(j=0;j<acc;j++)
     if(info->booklist[j]>=ci->books)goto errout;
 
+  /* verify the phrasebook is not specifying an impossible or
+     inconsistent partitioning scheme. */
+  {
+    int entries = ci->book_param[info->groupbook]->entries;
+    int dim = ci->book_param[info->groupbook]->dim;
+    int partvals = 1;
+    while(dim>0){
+      partvals *= info->partitions;
+      if(partvals > entries) goto errout;
+      dim--;
+    }
+    if(partvals != entries) goto errout;
+  }
+
   return(info);
  errout:
   res0_free_info(info);
-- 
cgit v1.2.3