Commit 3b652007 authored by Timothy B. Terriberry's avatar Timothy B. Terriberry

Additional codebook validity checks.

Bail out of codebook loading early if the packet doesn't have enough data for
 the size of the codebooks it asked for.
This doesn't in and of itself provide any additional security, but it does make
 peak heap usage on many invalid files smaller.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17539 0101bb08-14d6-0310-b084-bc0e0c8e3800
parent 3ada73cc
......@@ -41,12 +41,17 @@ static_codebook *vorbis_staticbook_unpack(oggpack_buffer *opb){
/* codeword ordering.... length ordered or unordered? */
switch((int)oggpack_read(opb,1)){
case 0:
case 0:{
long unused;
/* allocated but unused entries? */
unused=oggpack_read(opb,1);
if((s->entries*(unused?1:5)+7)>>3>opb->storage-oggpack_bytes(opb))
goto _eofout;
/* unordered */
s->lengthlist=(long *)_ogg_malloc(sizeof(*s->lengthlist)*s->entries);
/* allocated but unused entries? */
if(oggpack_read(opb,1)){
if(unused){
/* yes, unused entries */
for(i=0;i<s->entries;i++){
......@@ -67,17 +72,22 @@ static_codebook *vorbis_staticbook_unpack(oggpack_buffer *opb){
}
break;
}
case 1:
/* ordered */
{
long length=oggpack_read(opb,5)+1;
if(length==0)goto _eofout;
s->lengthlist=(long *)_ogg_malloc(sizeof(*s->lengthlist)*s->entries);
for(i=0;i<s->entries;){
long num=oggpack_read(opb,_ilog(s->entries-i));
if(num==-1)goto _eofout;
if(length>32)goto _errout;
for(j=0;j<num && i<s->entries;j++,i++)
if(length>32 || num>s->entries-i ||
(num>0 && num-1>>(length>>1)>>((length+1)>>1))>0){
goto _errout;
}
for(j=0;j<num;j++,i++)
s->lengthlist[i]=length;
length++;
}
......@@ -115,6 +125,8 @@ static_codebook *vorbis_staticbook_unpack(oggpack_buffer *opb){
}
/* quantized values */
if((quantvals*s->q_quant+7)>>3>opb->storage-oggpack_bytes(opb))
goto _eofout;
s->quantlist=(long *)_ogg_malloc(sizeof(*s->quantlist)*quantvals);
for(i=0;i<quantvals;i++)
s->quantlist[i]=oggpack_read(opb,s->q_quant);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment