From 13eac3bd2f721b0b8c37af0f92351e3454c2bd9f Mon Sep 17 00:00:00 2001
From: Nils Wallménius <nils@rockbox.org>
Date: Tue, 7 Dec 2010 16:12:32 +0000
Subject: libtremor: merge upstream revision 17520 and 17521 tweaking some of
 the recently introduced chaecks to not reject files made with buggy beta
 encoders.

git-svn-id: svn://svn.rockbox.org/rockbox/trunk@28759 a1c6a512-1295-4272-9138-f99709370657
---
 apps/codecs/libtremor/res012.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'apps/codecs/libtremor/res012.c')

diff --git a/apps/codecs/libtremor/res012.c b/apps/codecs/libtremor/res012.c
index 9abe75aed2..a60cf7fa1e 100644
--- a/apps/codecs/libtremor/res012.c
+++ b/apps/codecs/libtremor/res012.c
@@ -114,6 +114,10 @@ static vorbis_info_residue *res0_unpack(vorbis_info *vi,oggpack_buffer *opb){
 
   /* verify the phrasebook is not specifying an impossible or
      inconsistent partitioning scheme. */
+  /* modify the phrasebook ranging check from r16327; an early beta
+     encoder had a bug where it used an oversized phrasebook by
+     accident.  These files should continue to be playable, but don't
+     allow an exploit */
   {
     int entries = ci->book_param[info->groupbook]->entries;
     int dim = ci->book_param[info->groupbook]->dim;
@@ -123,7 +127,7 @@ static vorbis_info_residue *res0_unpack(vorbis_info *vi,oggpack_buffer *opb){
       if(partvals > entries) goto errout;
       dim--;
     }
-    if(partvals != entries) goto errout;
+    info->partvals = partvals;
   }
 
   return(info);
@@ -220,7 +224,7 @@ static int _01inverse(vorbis_block *vb,vorbis_look_residue *vl,
           /* fetch the partition word for each channel */
           for(j=0;j<ch;j++){
             int temp=vorbis_book_decode(look->phrasebook,&vb->opb);
-            if(temp==-1)goto eopbreak;
+	    if(temp==-1 || temp>=info->partvals)goto eopbreak;
             partword[j][l]=look->decodemap[temp];
             if(partword[j][l]==NULL)goto errout;
           }
@@ -305,7 +309,7 @@ int res2_inverse(vorbis_block *vb,vorbis_look_residue *vl,
         if(s==0){
           /* fetch the partition word */
           int temp=vorbis_book_decode(look->phrasebook,&vb->opb);
-          if(temp==-1)goto eopbreak;
+	  if(temp==-1 || temp>info->partvals)goto eopbreak;
           partword[l]=look->decodemap[temp];
           if(partword[l]==NULL)goto errout;
         }
-- 
cgit v1.2.3