patches/to_upstream/48_vorbis_residue_buffer.patch - Issue 8413019: Fix vorbis decoder bug.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: patches/to_upstream/48_vorbis_residue_buffer.patch

Issue 8413019: Fix vorbis decoder bug. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/deps/third_party/ffmpeg/

Patch Set: Created 9 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

Index: patches/to_upstream/48_vorbis_residue_buffer.patch

===================================================================

--- patches/to_upstream/48_vorbis_residue_buffer.patch (revision 0)

+++ patches/to_upstream/48_vorbis_residue_buffer.patch (revision 0)

@@ -0,0 +1,35 @@

+diff -wurp -N orig/libavcodec/vorbisdec.c patched-ffmpeg/libavcodec/vorbisdec.c

+--- orig/libavcodec/vorbisdec.c 2011-10-27 15:48:42.027540743 -0700

++++ patched-ffmpeg/libavcodec/vorbisdec.c 2011-10-27 16:00:51.835226983 -0700

+@@ -660,7 +660,7 @@ static int vorbis_parse_setup_hdr_residu

+ res_setup->partition_size = get_bits(gb, 24) + 1;

+ /* Validations to prevent a buffer overflow later. */

+ if (res_setup->begin>res_setup->end ||

+- res_setup->end > vc->avccontext->channels * vc->blocksize[1] / 2 ||

++ res_setup->end > (res_setup->type == 2 ? vc->avccontext->channels : 1) * vc->blocksize[1] / 2 ||

+ (res_setup->end-res_setup->begin) / res_setup->partition_size > V_MAX_PARTITIONS) {

+ av_log(vc->avccontext, AV_LOG_ERROR,

+ "partition out of bounds: type, begin, end, size, blocksize: %"PRIu16", %"PRIu32", %"PRIu32", %u, %"PRIu32"\n",

+@@ -1468,6 +1468,7 @@ static int vorbis_parse_audio_packet(vor

+ uint8_t res_chan[255];

+ unsigned res_num = 0;

+ int retlen = 0;

++ int ch_left = vc->audio_channels;

+ if (get_bits1(gb)) {

+ av_log(vc->avccontext, AV_LOG_ERROR, "Not a Vorbis I audio packet.\n");

+@@ -1542,9 +1543,14 @@ static int vorbis_parse_audio_packet(vor

+ }

+ residue = &vc->residues[mapping->submap_residue[i]];

++ if (ch_left < ch) {

++ av_log(vc->avccontext, AV_LOG_ERROR, "Too many channels in vorbis_floor_decode.\n");

++ return -1;

++ }

+ vorbis_residue_decode(vc, residue, ch, do_not_decode, ch_res_ptr, blocksize/2);

+ ch_res_ptr += ch * blocksize / 2;

++ ch_left -= ch;

+ }

+ // Inverse coupling