Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(82)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: patches/to_upstream/49_vorbis_buffer_defense.patch

Issue 8414025: An additional defense in the Vorbis codec. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/deps/third_party/ffmpeg/
Patch Set: Created 9 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « patches/README ('k') | source/patched-ffmpeg/libavcodec/vorbisdec.c » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 diff -wurp -N orig/libavcodec/vorbisdec.c patched-ffmpeg/libavcodec/vorbisdec.c
2 --- orig/libavcodec/vorbisdec.c 2011-10-27 17:02:13.946264938 -0700
3 +++ patched-ffmpeg/libavcodec/vorbisdec.c 2011-10-28 09:25:36.195272835 -0 700
4 @@ -1271,6 +1271,7 @@ static av_always_inline int vorbis_resid
5 uint8_t *do_not_deco de,
6 float *vec,
7 unsigned vlen,
8 + unsigned ch_left,
9 int vr_type)
10 {
11 GetBitContext *gb = &vc->gb;
12 @@ -1278,6 +1279,7 @@ static av_always_inline int vorbis_resid
13 unsigned ptns_to_read = vr->ptns_to_read;
14 uint8_t *classifs = vr->classifs;
15 unsigned pass, ch_used, i, j, k, l;
16 + unsigned max_output = (ch - 1) * vlen;
17
18 if (vr_type == 2) {
19 for (j = 1; j < ch; ++j)
20 @@ -1285,8 +1287,15 @@ static av_always_inline int vorbis_resid
21 if (do_not_decode[0])
22 return 0;
23 ch_used = 1;
24 + max_output += vr->end / ch;
25 } else {
26 ch_used = ch;
27 + max_output += vr->end;
28 + }
29 +
30 + if (max_output > ch_left * vlen) {
31 + av_log(vc->avccontext, AV_LOG_ERROR, "Insufficient output buffer\n");
32 + return -1;
33 }
34
35 av_dlog(NULL, " residue type 0/1/2 decode begin, ch: %d cpc %d \n", ch, c _p_c);
36 @@ -1413,14 +1422,15 @@ static av_always_inline int vorbis_resid
37 static inline int vorbis_residue_decode(vorbis_context *vc, vorbis_residue *vr,
38 unsigned ch,
39 uint8_t *do_not_decode,
40 - float *vec, unsigned vlen)
41 + float *vec, unsigned vlen,
42 + unsigned ch_left)
43 {
44 if (vr->type == 2)
45 - return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, v len, 2);
46 + return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, v len, ch_left, 2);
47 else if (vr->type == 1)
48 - return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, v len, 1);
49 + return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, v len, ch_left, 1);
50 else if (vr->type == 0)
51 - return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, v len, 0);
52 + return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, v len, ch_left, 0);
53 else {
54 av_log(vc->avccontext, AV_LOG_ERROR, " Invalid residue type while resid ue decode?! \n");
55 return -1;
56 @@ -1468,7 +1478,8 @@ static int vorbis_parse_audio_packet(vor
57 uint8_t res_chan[255];
58 unsigned res_num = 0;
59 int retlen = 0;
60 - int ch_left = vc->audio_channels;
61 + unsigned ch_left = vc->audio_channels;
62 + unsigned vlen;
63
64 if (get_bits1(gb)) {
65 av_log(vc->avccontext, AV_LOG_ERROR, "Not a Vorbis I audio packet.\n");
66 @@ -1488,11 +1499,12 @@ static int vorbis_parse_audio_packet(vor
67
68 blockflag = vc->modes[mode_number].blockflag;
69 blocksize = vc->blocksize[blockflag];
70 + vlen = blocksize / 2;
71 if (blockflag)
72 skip_bits(gb, 2); // previous_window, next_window
73
74 - memset(ch_res_ptr, 0, sizeof(float) * vc->audio_channels * blocksize / 2) ; //FIXME can this be removed ?
75 - memset(ch_floor_ptr, 0, sizeof(float) * vc->audio_channels * blocksize / 2) ; //FIXME can this be removed ?
76 + memset(ch_res_ptr, 0, sizeof(float) * vc->audio_channels * vlen); //FIXME can this be removed ?
77 + memset(ch_floor_ptr, 0, sizeof(float) * vc->audio_channels * vlen); //FIXME can this be removed ?
78
79 // Decode floor
80
81 @@ -1512,7 +1524,7 @@ static int vorbis_parse_audio_packet(vor
82 return -1;
83 }
84 no_residue[i] = ret;
85 - ch_floor_ptr += blocksize / 2;
86 + ch_floor_ptr += vlen;
87 }
88
89 // Nonzero vector propagate
90 @@ -1529,6 +1541,7 @@ static int vorbis_parse_audio_packet(vor
91 for (i = 0; i < mapping->submaps; ++i) {
92 vorbis_residue *residue;
93 unsigned ch = 0;
94 + int ret;
95
96 for (j = 0; j < vc->audio_channels; ++j) {
97 if ((mapping->submaps == 1) || (i == mapping->mux[j])) {
98 @@ -1547,9 +1560,11 @@ static int vorbis_parse_audio_packet(vor
99 av_log(vc->avccontext, AV_LOG_ERROR, "Too many channels in vorbis_f loor_decode.\n");
100 return -1;
101 }
102 - vorbis_residue_decode(vc, residue, ch, do_not_decode, ch_res_ptr, block size/2);
103 + ret = vorbis_residue_decode(vc, residue, ch, do_not_decode, ch_res_ptr, vlen, ch_left);
104 + if (ret < 0)
105 + return ret;
106
107 - ch_res_ptr += ch * blocksize / 2;
108 + ch_res_ptr += ch * vlen;
109 ch_left -= ch;
110 }
111
OLDNEW
« no previous file with comments | « patches/README ('k') | source/patched-ffmpeg/libavcodec/vorbisdec.c » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698