Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(43)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: source/patched-ffmpeg-mt/libavcodec/vorbis_dec.c

Issue 5964011: Fix a couple of errors with bad Vorbis headers, and go through the associated... (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/deps/third_party/ffmpeg/
Patch Set: '' Created 9 years, 12 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « patches/to_upstream/21_vorbis_overflow.patch ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /** 1 /**
2 * @file 2 * @file
3 * Vorbis I decoder 3 * Vorbis I decoder
4 * @author Denes Balatoni ( dbalatoni programozo hu ) 4 * @author Denes Balatoni ( dbalatoni programozo hu )
5 * 5 *
6 * This file is part of FFmpeg. 6 * This file is part of FFmpeg.
7 * 7 *
8 * FFmpeg is free software; you can redistribute it and/or 8 * FFmpeg is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public 9 * modify it under the terms of the GNU Lesser General Public
10 * License as published by the Free Software Foundation; either 10 * License as published by the Free Software Foundation; either
(...skipping 518 matching lines...) Expand 10 before | Expand all | Expand 10 after
529 529
530 for (j = 0; j < floor_setup->data.t1.partitions; ++j) 530 for (j = 0; j < floor_setup->data.t1.partitions; ++j)
531 floor_setup->data.t1.x_list_dim+=floor_setup->data.t1.class_dime nsions[floor_setup->data.t1.partition_class[j]]; 531 floor_setup->data.t1.x_list_dim+=floor_setup->data.t1.class_dime nsions[floor_setup->data.t1.partition_class[j]];
532 532
533 floor_setup->data.t1.list = av_mallocz(floor_setup->data.t1.x_list_d im * sizeof(vorbis_floor1_entry)); 533 floor_setup->data.t1.list = av_mallocz(floor_setup->data.t1.x_list_d im * sizeof(vorbis_floor1_entry));
534 534
535 535
536 rangebits = get_bits(gb, 4); 536 rangebits = get_bits(gb, 4);
537 floor_setup->data.t1.list[0].x = 0; 537 floor_setup->data.t1.list[0].x = 0;
538 floor_setup->data.t1.list[1].x = (1 << rangebits); 538 floor_setup->data.t1.list[1].x = (1 << rangebits);
539 if (floor_setup->data.t1.list[1].x > vc->blocksize[1] / 2) {
540 av_log(vc->avccontext, AV_LOG_ERROR,
541 "Floor value is too large for blocksize: %d (%d)\n",
542 floor_setup->data.t1.list[1].x, vc->blocksize[1] / 2);
543 return -1;
544 }
539 545
540 for (j = 0; j < floor_setup->data.t1.partitions; ++j) { 546 for (j = 0; j < floor_setup->data.t1.partitions; ++j) {
541 for (k = 0; k < floor_setup->data.t1.class_dimensions[floor_setu p->data.t1.partition_class[j]]; ++k, ++floor1_values) { 547 for (k = 0; k < floor_setup->data.t1.class_dimensions[floor_setu p->data.t1.partition_class[j]]; ++k, ++floor1_values) {
542 floor_setup->data.t1.list[floor1_values].x = get_bits(gb, ra ngebits); 548 floor_setup->data.t1.list[floor1_values].x = get_bits(gb, ra ngebits);
543 549
544 AV_DEBUG(" %d. floor1 Y coord. %d \n", floor1_values, floor_ setup->data.t1.list[floor1_values].x); 550 AV_DEBUG(" %d. floor1 Y coord. %d \n", floor1_values, floor_ setup->data.t1.list[floor1_values].x);
545 } 551 }
546 } 552 }
547 553
548 // Precalculate order of x coordinates - needed for decode 554 // Precalculate order of x coordinates - needed for decode
(...skipping 97 matching lines...) Expand 10 before | Expand all | Expand 10 after
646 652
647 res_setup->type = get_bits(gb, 16); 653 res_setup->type = get_bits(gb, 16);
648 654
649 AV_DEBUG(" %d. residue type %d \n", i, res_setup->type); 655 AV_DEBUG(" %d. residue type %d \n", i, res_setup->type);
650 656
651 res_setup->begin = get_bits(gb, 24); 657 res_setup->begin = get_bits(gb, 24);
652 res_setup->end = get_bits(gb, 24); 658 res_setup->end = get_bits(gb, 24);
653 res_setup->partition_size = get_bits(gb, 24) + 1; 659 res_setup->partition_size = get_bits(gb, 24) + 1;
654 /* Validations to prevent a buffer overflow later. */ 660 /* Validations to prevent a buffer overflow later. */
655 if (res_setup->begin>res_setup->end || 661 if (res_setup->begin>res_setup->end ||
656 res_setup->end > vc->avccontext->channels * vc->blocksize[1] / (res_ setup->type == 2 ? 1 : 2) || 662 res_setup->end > vc->avccontext->channels * vc->blocksize[1] / 2 ||
657 (res_setup->end-res_setup->begin) / res_setup->partition_size > V_MA X_PARTITIONS) { 663 (res_setup->end-res_setup->begin) / res_setup->partition_size > V_MA X_PARTITIONS) {
658 av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %"PRIdFAST16", %"PRIdFAST32", %"PRIdFAST32", %u, % "PRIdFAST32"\n", res_setup->type, res_setup->begin, res_setup->end, res_setup->p artition_size, vc->blocksize[1] / 2); 664 av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %"PRIdFAST16", %"PRIdFAST32", %"PRIdFAST32", %u, % "PRIdFAST32"\n", res_setup->type, res_setup->begin, res_setup->end, res_setup->p artition_size, vc->blocksize[1] / 2);
659 return -1; 665 return -1;
660 } 666 }
661 667
662 res_setup->classifications = get_bits(gb, 6) + 1; 668 res_setup->classifications = get_bits(gb, 6) + 1;
663 GET_VALIDATED_INDEX(res_setup->classbook, 8, vc->codebook_count) 669 GET_VALIDATED_INDEX(res_setup->classbook, 8, vc->codebook_count)
664 670
665 res_setup->ptns_to_read = 671 res_setup->ptns_to_read =
666 (res_setup->end - res_setup->begin) / res_setup->partition_size; 672 (res_setup->end - res_setup->begin) / res_setup->partition_size;
(...skipping 1007 matching lines...) Expand 10 before | Expand all | Expand 10 after
1674 CODEC_ID_VORBIS, 1680 CODEC_ID_VORBIS,
1675 sizeof(vorbis_context), 1681 sizeof(vorbis_context),
1676 vorbis_decode_init, 1682 vorbis_decode_init,
1677 NULL, 1683 NULL,
1678 vorbis_decode_close, 1684 vorbis_decode_close,
1679 vorbis_decode_frame, 1685 vorbis_decode_frame,
1680 .long_name = NULL_IF_CONFIG_SMALL("Vorbis"), 1686 .long_name = NULL_IF_CONFIG_SMALL("Vorbis"),
1681 .channel_layouts = ff_vorbis_channel_layouts, 1687 .channel_layouts = ff_vorbis_channel_layouts,
1682 }; 1688 };
1683 1689
OLDNEW
« no previous file with comments | « patches/to_upstream/21_vorbis_overflow.patch ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698