Apply patches from Trac #1638, additional application hardening (not
authorMonty <xiphmont@xiph.org>
Thu, 25 Mar 2010 05:21:20 +0000 (05:21 +0000)
committerMonty <xiphmont@xiph.org>
Thu, 25 Mar 2010 05:21:20 +0000 (05:21 +0000)
bugfixes, but ignoring easy-to-catch cases of improper lib use) and one
more bitstream guard.

svn path=/trunk/vorbis/; revision=17027

lib/synthesis.c

index 35fe7f5..bcf99c5 100644 (file)
 #include "os.h"
 
 int vorbis_synthesis(vorbis_block *vb,ogg_packet *op){
-  vorbis_dsp_state     *vd=vb->vd;
-  private_state        *b=vd->backend_state;
-  vorbis_info          *vi=vd->vi;
-  codec_setup_info     *ci=vi->codec_setup;
-  oggpack_buffer       *opb=&vb->opb;
+  vorbis_dsp_state     *vd= vb ? vb->vd : 0;
+  private_state        *b= vd ? vd->backend_state : 0;
+  vorbis_info          *vi= vd ? vd->vi : 0;
+  codec_setup_info     *ci= vi ? vi->codec_setup : 0;
+  oggpack_buffer       *opb=vb ? &vb->opb : 0;
   int                   type,mode,i;
 
+  if (!vd || !b || !vi || !ci || !opb) {
+    return OV_EBADPACKET;
+  }
+
   /* first things first.  Make sure decode is ready */
   _vorbis_block_ripcord(vb);
   oggpack_readinit(opb,op->packet,op->bytes);
@@ -43,9 +47,15 @@ int vorbis_synthesis(vorbis_block *vb,ogg_packet *op){
 
   /* read our mode and pre/post windowsize */
   mode=oggpack_read(opb,b->modebits);
-  if(mode==-1)return(OV_EBADPACKET);
+  if(mode==-1){
+    return(OV_EBADPACKET);
+  }
 
   vb->mode=mode;
+  if(!ci->mode_param[mode]){
+    return(OV_EBADPACKET);
+  }
+
   vb->W=ci->mode_param[mode]->blockflag;
   if(vb->W){
 
@@ -53,7 +63,9 @@ int vorbis_synthesis(vorbis_block *vb,ogg_packet *op){
        only for window selection */
     vb->lW=oggpack_read(opb,1);
     vb->nW=oggpack_read(opb,1);
-    if(vb->nW==-1)   return(OV_EBADPACKET);
+    if(vb->nW==-1){
+      return(OV_EBADPACKET);
+    }
   }else{
     vb->lW=0;
     vb->nW=0;