| Index: source/patched-ffmpeg-mt/libavcodec/vorbis_dec.c
|
| ===================================================================
|
| --- source/patched-ffmpeg-mt/libavcodec/vorbis_dec.c (revision 70194)
|
| +++ source/patched-ffmpeg-mt/libavcodec/vorbis_dec.c (working copy)
|
| @@ -536,6 +536,12 @@
|
| rangebits = get_bits(gb, 4);
|
| floor_setup->data.t1.list[0].x = 0;
|
| floor_setup->data.t1.list[1].x = (1 << rangebits);
|
| + if (floor_setup->data.t1.list[1].x > vc->blocksize[1] / 2) {
|
| + av_log(vc->avccontext, AV_LOG_ERROR,
|
| + "Floor value is too large for blocksize: %d (%d)\n",
|
| + floor_setup->data.t1.list[1].x, vc->blocksize[1] / 2);
|
| + return -1;
|
| + }
|
|
|
| for (j = 0; j < floor_setup->data.t1.partitions; ++j) {
|
| for (k = 0; k < floor_setup->data.t1.class_dimensions[floor_setup->data.t1.partition_class[j]]; ++k, ++floor1_values) {
|
| @@ -653,7 +659,7 @@
|
| res_setup->partition_size = get_bits(gb, 24) + 1;
|
| /* Validations to prevent a buffer overflow later. */
|
| if (res_setup->begin>res_setup->end ||
|
| - res_setup->end > vc->avccontext->channels * vc->blocksize[1] / (res_setup->type == 2 ? 1 : 2) ||
|
| + res_setup->end > vc->avccontext->channels * vc->blocksize[1] / 2 ||
|
| (res_setup->end-res_setup->begin) / res_setup->partition_size > V_MAX_PARTITIONS) {
|
| av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %"PRIdFAST16", %"PRIdFAST32", %"PRIdFAST32", %u, %"PRIdFAST32"\n", res_setup->type, res_setup->begin, res_setup->end, res_setup->partition_size, vc->blocksize[1] / 2);
|
| return -1;
|
|
|
Chromium Code Reviews
Issue 5964011:
Fix a couple of errors with bad Vorbis headers, and go through the associated... (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/deps/third_party/ffmpeg/