Commit 7e94eea5 authored by Timothy B. Terriberry's avatar Timothy B. Terriberry

Forward port r14598 from libvorbis.

Add code to prevent heap attacks by exploiting dim==bignum and
 partition_codewords==partion_values^dim.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17513 0101bb08-14d6-0310-b084-bc0e0c8e3800
parent 1d1f93e5
......@@ -113,6 +113,20 @@ vorbis_info_residue *res0_unpack(vorbis_info *vi,oggpack_buffer *opb){
for(j=0;j<acc;j++)
if(info->booklist[j]>=ci->books)goto errout;
/* verify the phrasebook is not specifying an impossible or
inconsistent partitioning scheme. */
{
int entries = ci->book_param[info->groupbook]->entries;
int dim = ci->book_param[info->groupbook]->dim;
int partvals = 1;
while(dim>0){
partvals *= info->partitions;
if(partvals > entries) goto errout;
dim--;
}
if(partvals != entries) goto errout;
}
return(info);
errout:
res0_free_info(info);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment