Fixes Bug: #191 Chromium Bug: #101458 CVE-2011-3895 Signed-off-by: Reinhard Tartler <[email protected]> --- libavcodec/vorbisdec.c | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-)
I have to admit that I don't really understand what's going on here. I'm forwarding this bug based on the information based from http://bugzilla.libav.org/show_bug.cgi?id=191 diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 70690dd..51523a6 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -675,7 +675,7 @@ static int vorbis_parse_setup_hdr_residues(vorbis_context *vc) res_setup->partition_size = get_bits(gb, 24) + 1; /* Validations to prevent a buffer overflow later. */ if (res_setup->begin>res_setup->end || - res_setup->end > vc->avccontext->channels * vc->blocksize[1] / 2 || + res_setup->end > (res_setup->type == 2 ? vc->avccontext->channels : 1) * vc->blocksize[1] / 2 || (res_setup->end-res_setup->begin) / res_setup->partition_size > V_MAX_PARTITIONS) { av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %"PRIu16", %"PRIu32", %"PRIu32", %u, %"PRIu32"\n", @@ -1479,6 +1479,7 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) uint8_t res_chan[255]; unsigned res_num = 0; int retlen = 0; + int ch_left = vc->audio_channels; if (get_bits1(gb)) { av_log(vc->avccontext, AV_LOG_ERROR, "Not a Vorbis I audio packet.\n"); @@ -1553,9 +1554,14 @@ static int vorbis_parse_audio_packet(vorbis_context *vc) } } residue = &vc->residues[mapping->submap_residue[i]]; + if (ch_left < ch) { + av_log(vc->avccontext, AV_LOG_ERROR, "Too many channels in vorbis_floor_decode.\n"); + return -1; + } vorbis_residue_decode(vc, residue, ch, do_not_decode, ch_res_ptr, blocksize/2); ch_res_ptr += ch * blocksize / 2; + ch_left -= ch; } // Inverse coupling -- 1.7.5.4 _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
