Patch from Brad Smith.
Reviewed by Ron Lee.
Fixes #1943.

git-svn-id: https://svn.xiph.org/trunk/Tremor@18906 0101bb08-14d6-0310-b084-bc0e0c8e3800

git-svn-id: https://svn.xiph.org/trunk/Tremor@18153 0101bb08-14d6-0310-b084-bc0e0c8e3800

git-svn-id: https://svn.xiph.org/trunk/Tremor@18152 0101bb08-14d6-0310-b084-bc0e0c8e3800

The use of long caused some functions which now use libogg's
 ogg_page_serialno() (which returns an int) to sign-extend the
 serialno, while the actual list was stored as ogg_uint32_t's.
This would cause subsequent lookups to fail on platforms with a
 64-bit long.
Introduced in r17375 and r16259, but only partially corrected in
 r17536.
Fixes #1838.
Thanks to achurch for the report.


git-svn-id: https://svn.xiph.org/trunk/Tremor@18116 0101bb08-14d6-0310-b084-bc0e0c8e3800

git-svn-id: https://svn.xiph.org/trunk/Tremor@18099 0101bb08-14d6-0310-b084-bc0e0c8e3800

Modified project files to have Windows CE debug builds compilable and runnable.



git-svn-id: https://svn.xiph.org/trunk/Tremor@17636 0101bb08-14d6-0310-b084-bc0e0c8e3800

vf->current_serialno matches on return.



git-svn-id: https://svn.xiph.org/trunk/Tremor@17572 0101bb08-14d6-0310-b084-bc0e0c8e3800

A codebook that allows values outside the circular range of the piecewise
 floor1 representation can overflow the lookup
Also fix a typo in the comments of the original patch.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17555 0101bb08-14d6-0310-b084-bc0e0c8e3800

git-svn-id: https://svn.xiph.org/trunk/Tremor@17551 0101bb08-14d6-0310-b084-bc0e0c8e3800

git-svn-id: https://svn.xiph.org/trunk/Tremor@17547 0101bb08-14d6-0310-b084-bc0e0c8e3800

needed to decode was not an integer number of dims wide.  This caused
it to overflow the output vector as the termination condition was in
the outer loop of vorbis_book_decodev_set.

None of the various vorbis_book_decodeXXXX calls internally guard
against this case either, but in every other use the calling code does
properly guard (and avoids putting more checks in the tight inner
decode loop).

For floor0, move the checks into the inner loop as there's little
penalty for doing so.  Add commentary indicating where guarding is
done for each call variant.




git-svn-id: https://svn.xiph.org/trunk/Tremor@17546 0101bb08-14d6-0310-b084-bc0e0c8e3800

zzuf.00005.361003813.chop.lsp-test4.ogg etc.



git-svn-id: https://svn.xiph.org/trunk/Tremor@17545 0101bb08-14d6-0310-b084-bc0e0c8e3800

zzuf.00005.355571120.chop.rc2-test2.ogg




git-svn-id: https://svn.xiph.org/trunk/Tremor@17544 0101bb08-14d6-0310-b084-bc0e0c8e3800

range of the piecewise representation, it can overflow the lookup.
Proper fix here is just a simple clamp.




git-svn-id: https://svn.xiph.org/trunk/Tremor@17543 0101bb08-14d6-0310-b084-bc0e0c8e3800

playback of some older (pre-1.0) files removed an [implicit] check
against phrasebook dim being set to zero.  Reinstate as an explicit
check.



git-svn-id: https://svn.xiph.org/trunk/Tremor@17542 0101bb08-14d6-0310-b084-bc0e0c8e3800

possible to game the granpos such that the trim code would try to
rewind more samples than were actually available in storage.



git-svn-id: https://svn.xiph.org/trunk/Tremor@17541 0101bb08-14d6-0310-b084-bc0e0c8e3800

codebook.c:87: warning: suggest parentheses around '-' inside '>>'


git-svn-id: https://svn.xiph.org/trunk/Tremor@17540 0101bb08-14d6-0310-b084-bc0e0c8e3800

Bail out of codebook loading early if the packet doesn't have enough data for
 the size of the codebooks it asked for.
This doesn't in and of itself provide any additional security, but it does make
 peak heap usage on many invalid files smaller.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17539 0101bb08-14d6-0310-b084-bc0e0c8e3800

Header setup allows the LSP order to be as low as one, but the code in
 vorbis_lsp_to_curve() assumed it was at least two.
This wasn't terrible in libvorbis... it would multiply a nonsense (but defined)
 value into the output, and nothing more.
In Tremor, it referenced several completely undefined (stack) values, which
 could cause out-of-bounds lookup table accesses and crashes.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17538 0101bb08-14d6-0310-b084-bc0e0c8e3800

Storing a serial number in a long and comparing it to an ogg_uint32_t only
 works if you cast the long down, instead of letting C promote it.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17536 0101bb08-14d6-0310-b084-bc0e0c8e3800

Correct 'seconds' to 'milliseconds', a cosmetic error that's been there since the iseeking_example was originally copied over from reference.



git-svn-id: https://svn.xiph.org/trunk/Tremor@17535 0101bb08-14d6-0310-b084-bc0e0c8e3800

seeking bisection computation

This is the equivalent of the r15921 fix in reference, but doesn't
require a double cast (for obvious reasons).  The technique is
different, the intent is the same (avoid a 64x64= >64 bit overflow)




git-svn-id: https://svn.xiph.org/trunk/Tremor@17534 0101bb08-14d6-0310-b084-bc0e0c8e3800

Patch iseeking example to continue if there's insufficient memory to allocate a verification buffer for excessively
large samples.

Also correct sample/time calculation to not overflow 64 bit math, again for
those excessively long samples



git-svn-id: https://svn.xiph.org/trunk/Tremor@17533 0101bb08-14d6-0310-b084-bc0e0c8e3800

Unless you're using the autotools build system, <vorbis/...> doesn't exist, and
 could pull out-of-date system headers anyway.
ivorbisfile_example had the same problem, but that fix was accidentally
 included in r17526.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17532 0101bb08-14d6-0310-b084-bc0e0c8e3800

r16328 (committed in Tremor as r17526) broke chaining by causing
 vorbis_synthesis_init() to fail on a second call.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17531 0101bb08-14d6-0310-b084-bc0e0c8e3800

Fix leak when aborting out of static_codebook unpack.  Closes #1663.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17530 0101bb08-14d6-0310-b084-bc0e0c8e3800

Apply patches from Trac #1638, additional application hardening.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17529 0101bb08-14d6-0310-b084-bc0e0c8e3800

Don't allow ordered codebooks with codeword lengths longer than 32 bits.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17528 0101bb08-14d6-0310-b084-bc0e0c8e3800

Eliminate possibility of booklist overflow in res0/1/2 unpacking.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17527 0101bb08-14d6-0310-b084-bc0e0c8e3800

ivorbisfile_example.c ignores an error code and plows ahead blindly if
 libvorbisidec reports the current bitstream section is bad (OV_EBADLINK).
Retrying after the error crashes libvorbisidec due to the unitialized state.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17526 0101bb08-14d6-0310-b084-bc0e0c8e3800

Commit additional hardening to setup packet decode.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17525 0101bb08-14d6-0310-b084-bc0e0c8e3800

Fix for https://bugzilla.mozilla.org/show_bug.cgi?id=501279


git-svn-id: https://svn.xiph.org/trunk/Tremor@17524 0101bb08-14d6-0310-b084-bc0e0c8e3800

Second half of fix to https://bugzilla.mozilla.org/show_bug.cgi?id=500254
Sanity check the floor 1 post list to reject files with repeated values that
 would result in floor line segments with zero length.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17523 0101bb08-14d6-0310-b084-bc0e0c8e3800

First half of fix for https://bugzilla.mozilla.org/show_bug.cgi?id=500254
Residue code was not checking that its partition books were books with
 specified/populated value mappings.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17522 0101bb08-14d6-0310-b084-bc0e0c8e3800

git-svn-id: https://svn.xiph.org/trunk/Tremor@17521 0101bb08-14d6-0310-b084-bc0e0c8e3800

Fix for bug #1456-- the 'bulletproofing' from CVE-2008-1420 inadvertantly 
 rejects a harmless/legal (if suboptimal) codebook arrangement that was 
 apparently used in 1.0b1.
Modify fix for Trac #1572; some files from the earliest beta
 accidentally used an oversized phrasebook in res decode; allow these.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17520 0101bb08-14d6-0310-b084-bc0e0c8e3800

Correct an accidental dereference-before-check in error cleanup in comments.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17519 0101bb08-14d6-0310-b084-bc0e0c8e3800

The vorbisfile part of this got merged in r16259, but the corresponding changes
 to voris_synthesis_init() to actually return a failure code did not.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17518 0101bb08-14d6-0310-b084-bc0e0c8e3800

Actually allocate the right number of comments, and add an extra check against
 i+1 overflowing (which could happen with a 4 GB comment packet on a 64-bit
 machine... unlikely, but possible).


git-svn-id: https://svn.xiph.org/trunk/Tremor@17517 0101bb08-14d6-0310-b084-bc0e0c8e3800

This accidentally contained far more than I meant to commit.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17516 0101bb08-14d6-0310-b084-bc0e0c8e3800