1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
$FreeBSD: ports/audio/libvorbis/files/patch-lib_res0.c,v 1.3 2009/11/24 21:32:39 naddy Exp $
--- lib/res0.c.orig 2009-11-24 21:51:43.000000000 +0100
+++ lib/res0.c 2009-11-24 21:52:01.000000000 +0100
@@ -238,6 +238,10 @@ vorbis_info_residue *res0_unpack(vorbis_
/* verify the phrasebook is not specifying an impossible or
inconsistent partitioning scheme. */
+ /* modify the phrasebook ranging check from r16327; an early beta
+ encoder had a bug where it used an oversized phrasebook by
+ accident. These files should continue to be playable, but don't
+ allow an exploit */
{
int entries = ci->book_param[info->groupbook]->entries;
int dim = ci->book_param[info->groupbook]->dim;
@@ -247,6 +251,7 @@ vorbis_info_residue *res0_unpack(vorbis_
if(partvals > entries) goto errout;
dim--;
}
+ info->partvals = partvals;
}
return(info);
@@ -667,7 +672,7 @@ static int _01inverse(vorbis_block *vb,v
for(j=0;j<ch;j++){
int temp=vorbis_book_decode(look->phrasebook,&vb->opb);
- if(temp==-1)goto eopbreak;
+ if(temp==-1 || temp>=info->partvals)goto eopbreak;
partword[j][l]=look->decodemap[temp];
if(partword[j][l]==NULL)goto errout;
}
@@ -883,7 +888,7 @@ int res2_inverse(vorbis_block *vb,vorbis
if(s==0){
/* fetch the partition word */
int temp=vorbis_book_decode(look->phrasebook,&vb->opb);
- if(temp==-1)goto eopbreak;
+ if(temp==-1 || temp>info->partvals)goto eopbreak;
partword[l]=look->decodemap[temp];
if(partword[l]==NULL)goto errout;
}
|
