Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(448)

Side by Side Diff: patches/to_upstream/21_vorbis_overflow.patch

Issue 5964011: Fix a couple of errors with bad Vorbis headers, and go through the associated... (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/deps/third_party/ffmpeg/
Patch Set: '' Created 9 years, 12 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « README.chromium ('k') | source/patched-ffmpeg-mt/libavcodec/vorbis_dec.c » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 diff -wurp -N orig/libavcodec/vorbis_dec.c ffmpeg-mt/libavcodec/vorbis_dec.c
2 --- orig/libavcodec/vorbis_dec.c 2010-12-27 11:16:48.320721968 -0800
3 +++ ffmpeg-mt/libavcodec/vorbis_dec.c 2010-12-27 11:55:33.241708823 -0800
4 @@ -536,6 +536,12 @@ static int vorbis_parse_setup_hdr_floors
5 rangebits = get_bits(gb, 4);
6 floor_setup->data.t1.list[0].x = 0;
7 floor_setup->data.t1.list[1].x = (1 << rangebits);
8 + if (floor_setup->data.t1.list[1].x > vc->blocksize[1] / 2) {
9 + av_log(vc->avccontext, AV_LOG_ERROR,
10 + "Floor value is too large for blocksize: %d (%d)\n",
11 + floor_setup->data.t1.list[1].x, vc->blocksize[1] / 2);
12 + return -1;
13 + }
14
15 for (j = 0; j < floor_setup->data.t1.partitions; ++j) {
16 for (k = 0; k < floor_setup->data.t1.class_dimensions[floor_set up->data.t1.partition_class[j]]; ++k, ++floor1_values) {
17 @@ -653,7 +659,7 @@ static int vorbis_parse_setup_hdr_residu
18 res_setup->partition_size = get_bits(gb, 24) + 1;
19 /* Validations to prevent a buffer overflow later. */
20 if (res_setup->begin>res_setup->end ||
21 - res_setup->end > vc->avccontext->channels * vc->blocksize[1] / (res _setup->type == 2 ? 1 : 2) ||
22 + res_setup->end > vc->avccontext->channels * vc->blocksize[1] / 2 ||
23 (res_setup->end-res_setup->begin) / res_setup->partition_size > V_M AX_PARTITIONS) {
24 av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type , begin, end, size, blocksize: %"PRIdFAST16", %"PRIdFAST32", %"PRIdFAST32", %u, %"PRIdFAST32"\n", res_setup->type, res_setup->begin, res_setup->end, res_setup-> partition_size, vc->blocksize[1] / 2);
25 return -1;
OLDNEW
« no previous file with comments | « README.chromium ('k') | source/patched-ffmpeg-mt/libavcodec/vorbis_dec.c » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698