git-svn-id: https://svn.xiph.org/trunk/Tremor@17547 0101bb08-14d6-0310-b084-bc0e0c8e3800

needed to decode was not an integer number of dims wide.  This caused
it to overflow the output vector as the termination condition was in
the outer loop of vorbis_book_decodev_set.

None of the various vorbis_book_decodeXXXX calls internally guard
against this case either, but in every other use the calling code does
properly guard (and avoids putting more checks in the tight inner
decode loop).

For floor0, move the checks into the inner loop as there's little
penalty for doing so.  Add commentary indicating where guarding is
done for each call variant.




git-svn-id: https://svn.xiph.org/trunk/Tremor@17546 0101bb08-14d6-0310-b084-bc0e0c8e3800

zzuf.00005.361003813.chop.lsp-test4.ogg etc.



git-svn-id: https://svn.xiph.org/trunk/Tremor@17545 0101bb08-14d6-0310-b084-bc0e0c8e3800

zzuf.00005.355571120.chop.rc2-test2.ogg




git-svn-id: https://svn.xiph.org/trunk/Tremor@17544 0101bb08-14d6-0310-b084-bc0e0c8e3800

range of the piecewise representation, it can overflow the lookup.
Proper fix here is just a simple clamp.




git-svn-id: https://svn.xiph.org/trunk/Tremor@17543 0101bb08-14d6-0310-b084-bc0e0c8e3800

playback of some older (pre-1.0) files removed an [implicit] check
against phrasebook dim being set to zero.  Reinstate as an explicit
check.



git-svn-id: https://svn.xiph.org/trunk/Tremor@17542 0101bb08-14d6-0310-b084-bc0e0c8e3800

possible to game the granpos such that the trim code would try to
rewind more samples than were actually available in storage.



git-svn-id: https://svn.xiph.org/trunk/Tremor@17541 0101bb08-14d6-0310-b084-bc0e0c8e3800

codebook.c:87: warning: suggest parentheses around '-' inside '>>'


git-svn-id: https://svn.xiph.org/trunk/Tremor@17540 0101bb08-14d6-0310-b084-bc0e0c8e3800

Bail out of codebook loading early if the packet doesn't have enough data for
 the size of the codebooks it asked for.
This doesn't in and of itself provide any additional security, but it does make
 peak heap usage on many invalid files smaller.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17539 0101bb08-14d6-0310-b084-bc0e0c8e3800

Header setup allows the LSP order to be as low as one, but the code in
 vorbis_lsp_to_curve() assumed it was at least two.
This wasn't terrible in libvorbis... it would multiply a nonsense (but defined)
 value into the output, and nothing more.
In Tremor, it referenced several completely undefined (stack) values, which
 could cause out-of-bounds lookup table accesses and crashes.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17538 0101bb08-14d6-0310-b084-bc0e0c8e3800

Storing a serial number in a long and comparing it to an ogg_uint32_t only
 works if you cast the long down, instead of letting C promote it.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17536 0101bb08-14d6-0310-b084-bc0e0c8e3800

Correct 'seconds' to 'milliseconds', a cosmetic error that's been there since the iseeking_example was originally copied over from reference.



git-svn-id: https://svn.xiph.org/trunk/Tremor@17535 0101bb08-14d6-0310-b084-bc0e0c8e3800

seeking bisection computation

This is the equivalent of the r15921 fix in reference, but doesn't
require a double cast (for obvious reasons).  The technique is
different, the intent is the same (avoid a 64x64= >64 bit overflow)




git-svn-id: https://svn.xiph.org/trunk/Tremor@17534 0101bb08-14d6-0310-b084-bc0e0c8e3800

Patch iseeking example to continue if there's insufficient memory to allocate a verification buffer for excessively
large samples.

Also correct sample/time calculation to not overflow 64 bit math, again for
those excessively long samples



git-svn-id: https://svn.xiph.org/trunk/Tremor@17533 0101bb08-14d6-0310-b084-bc0e0c8e3800

Unless you're using the autotools build system, <vorbis/...> doesn't exist, and
 could pull out-of-date system headers anyway.
ivorbisfile_example had the same problem, but that fix was accidentally
 included in r17526.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17532 0101bb08-14d6-0310-b084-bc0e0c8e3800

r16328 (committed in Tremor as r17526) broke chaining by causing
 vorbis_synthesis_init() to fail on a second call.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17531 0101bb08-14d6-0310-b084-bc0e0c8e3800

Fix leak when aborting out of static_codebook unpack.  Closes #1663.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17530 0101bb08-14d6-0310-b084-bc0e0c8e3800

Apply patches from Trac #1638, additional application hardening.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17529 0101bb08-14d6-0310-b084-bc0e0c8e3800

Don't allow ordered codebooks with codeword lengths longer than 32 bits.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17528 0101bb08-14d6-0310-b084-bc0e0c8e3800

Eliminate possibility of booklist overflow in res0/1/2 unpacking.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17527 0101bb08-14d6-0310-b084-bc0e0c8e3800

ivorbisfile_example.c ignores an error code and plows ahead blindly if
 libvorbisidec reports the current bitstream section is bad (OV_EBADLINK).
Retrying after the error crashes libvorbisidec due to the unitialized state.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17526 0101bb08-14d6-0310-b084-bc0e0c8e3800

Commit additional hardening to setup packet decode.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17525 0101bb08-14d6-0310-b084-bc0e0c8e3800

Fix for https://bugzilla.mozilla.org/show_bug.cgi?id=501279


git-svn-id: https://svn.xiph.org/trunk/Tremor@17524 0101bb08-14d6-0310-b084-bc0e0c8e3800

Second half of fix to https://bugzilla.mozilla.org/show_bug.cgi?id=500254
Sanity check the floor 1 post list to reject files with repeated values that
 would result in floor line segments with zero length.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17523 0101bb08-14d6-0310-b084-bc0e0c8e3800

First half of fix for https://bugzilla.mozilla.org/show_bug.cgi?id=500254
Residue code was not checking that its partition books were books with
 specified/populated value mappings.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17522 0101bb08-14d6-0310-b084-bc0e0c8e3800

git-svn-id: https://svn.xiph.org/trunk/Tremor@17521 0101bb08-14d6-0310-b084-bc0e0c8e3800

Fix for bug #1456-- the 'bulletproofing' from CVE-2008-1420 inadvertantly 
 rejects a harmless/legal (if suboptimal) codebook arrangement that was 
 apparently used in 1.0b1.
Modify fix for Trac #1572; some files from the earliest beta
 accidentally used an oversized phrasebook in res decode; allow these.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17520 0101bb08-14d6-0310-b084-bc0e0c8e3800

Correct an accidental dereference-before-check in error cleanup in comments.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17519 0101bb08-14d6-0310-b084-bc0e0c8e3800

The vorbisfile part of this got merged in r16259, but the corresponding changes
 to voris_synthesis_init() to actually return a failure code did not.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17518 0101bb08-14d6-0310-b084-bc0e0c8e3800

Actually allocate the right number of comments, and add an extra check against
 i+1 overflowing (which could happen with a 4 GB comment packet on a 64-bit
 machine... unlikely, but possible).


git-svn-id: https://svn.xiph.org/trunk/Tremor@17517 0101bb08-14d6-0310-b084-bc0e0c8e3800

This accidentally contained far more than I meant to commit.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17516 0101bb08-14d6-0310-b084-bc0e0c8e3800

Actually allocate the right number of comments, and add an extra check against
 i+1 overflowing (which could happen with a 4 GB comment packet on a 64-bit
 machine... unlikely, but possible).


git-svn-id: https://svn.xiph.org/trunk/Tremor@17515 0101bb08-14d6-0310-b084-bc0e0c8e3800

Don't try to read past the end of the comment packet if the string lengths are
 corrupt.
Correct a potential comment length sanity check overflow.
Commit additional hardening to comment packet decode.

Also add allocation checks, since these can still run us out of address space
 if someone actually sends a GB or two of comment data.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17514 0101bb08-14d6-0310-b084-bc0e0c8e3800

Add code to prevent heap attacks by exploiting dim==bignum and
 partition_codewords==partion_values^dim.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17513 0101bb08-14d6-0310-b084-bc0e0c8e3800

Correctly handle the nonsensical codebook.dim==0 case.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17512 0101bb08-14d6-0310-b084-bc0e0c8e3800

Add checks/rejection for absurdly huge codebooks.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17511 0101bb08-14d6-0310-b084-bc0e0c8e3800

Additional bulletproofing to hufftree decoding; reject underpopulated trees
 up-front.
Handle the case of single-entry codebooks.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17510 0101bb08-14d6-0310-b084-bc0e0c8e3800

Moral equivalent of r15937 for libvorbis.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17509 0101bb08-14d6-0310-b084-bc0e0c8e3800

git-svn-id: https://svn.xiph.org/trunk/Tremor@17376 0101bb08-14d6-0310-b084-bc0e0c8e3800

This makes it easier to use Tremor as a drop-in replacement for libvorbis and
 reduces code size and overhead for those who don't want to use its built-in
 Ogg demuxer.
This commit also backports all of the changes that have accumulated in
 libvorbis's vorbisfile implementation, with the exception of halfrate decoding
 and cross-lapped seeking.
Those should not be too hard to add if someone really wants them.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17375 0101bb08-14d6-0310-b084-bc0e0c8e3800