Modify fix for Trac #1572; some files from the earliest beta

accidentally used an oversized phrasebook in res decode; allow these
[technically corrept] files to play.  The attack fix is still
watertight, the check is simply made in a different way.

svn path=/trunk/vorbis/; revision=16552

diff --git a/lib/backends.h b/lib/backends.h
index c6a638a..ecf1eca 100644 (file)
--- a/lib/backends.h
+++ b/lib/backends.h
@@ -109,6 +109,7 @@ typedef struct vorbis_info_residue0{
   /* first stage (lossless partitioning) */
   int    grouping;         /* group n vectors per partition */
   int    partitions;       /* possible codebooks for a partition */
+  int    partvals;         /* partitions ^ groupbook dim */
   int    groupbook;        /* huffbook for partitioning */
   int    secondstages[64]; /* expanded out to pointers in lookup */
   int    booklist[512];    /* list of second stage books */

diff --git a/lib/modes/residue_44.h b/lib/modes/residue_44.h
index 700d0fd..eb0e8e5 100644 (file)
--- a/lib/modes/residue_44.h
+++ b/lib/modes/residue_44.h
@@ -22,7 +22,7 @@
 /***** residue backends *********************************************/
 
 static const vorbis_info_residue0 _residue_44_low={
-  0,-1, -1, 9,-1,
+  0,-1, -1, 9,-1,-1,
   /*  0     1     2     3     4     5     6     7  */
   {0},
   {-1},
@@ -31,7 +31,7 @@ static const vorbis_info_residue0 _residue_44_low={
 };
 
 static const vorbis_info_residue0 _residue_44_mid={
-  0,-1, -1, 10,-1,
+  0,-1, -1, 10,-1,-1,
   /*  0     1     2     3     4     5     6     7     8  */
   {0},
   {-1},
@@ -40,7 +40,7 @@ static const vorbis_info_residue0 _residue_44_mid={
 };
 
 static const vorbis_info_residue0 _residue_44_high={
-  0,-1, -1, 10,-1,
+  0,-1, -1, 10,-1,-1,
   /*  0     1     2     3     4     5     6     7     8  */
   {0},
   {-1},

diff --git a/lib/modes/residue_44u.h b/lib/modes/residue_44u.h
index 4382633..90e0f23 100644 (file)
--- a/lib/modes/residue_44u.h
+++ b/lib/modes/residue_44u.h
@@ -23,7 +23,7 @@
 
 
 static const vorbis_info_residue0 _residue_44_low_un={
-  0,-1, -1, 8,-1,
+  0,-1, -1, 8,-1,-1,
   {0},
   {-1},
   {  .5,  1.5,  1.5,  2.5,  2.5,  4.5, 28.5},
@@ -31,7 +31,7 @@ static const vorbis_info_residue0 _residue_44_low_un={
 };
 
 static const vorbis_info_residue0 _residue_44_mid_un={
-  0,-1, -1, 10,-1,
+  0,-1, -1, 10,-1,-1,
   /*  0     1     2     3     4     5     6     7     8     9 */
   {0},
   {-1},
@@ -40,7 +40,7 @@ static const vorbis_info_residue0 _residue_44_mid_un={
 };
 
 static const vorbis_info_residue0 _residue_44_hi_un={
-  0,-1, -1, 10,-1,
+  0,-1, -1, 10,-1,-1,
   /*  0     1     2     3     4     5     6     7     8     9 */
   {0},
   {-1},

diff --git a/lib/res0.c b/lib/res0.c
index 59ab5fc..f1306a6 100644 (file)
--- a/lib/res0.c
+++ b/lib/res0.c
@@ -238,6 +238,10 @@ vorbis_info_residue *res0_unpack(vorbis_info *vi,oggpack_buffer *opb){
 
   /* verify the phrasebook is not specifying an impossible or
      inconsistent partitioning scheme. */
+  /* modify the phrasebook ranging check from r16327; an early beta
+     encoder had a bug where it used an oversized phrasebook by
+     accident.  These files should continue to be playable, but don't
+     allow an exploit */
   {
     int entries = ci->book_param[info->groupbook]->entries;
     int dim = ci->book_param[info->groupbook]->dim;
@@ -247,7 +251,7 @@ vorbis_info_residue *res0_unpack(vorbis_info *vi,oggpack_buffer *opb){
       if(partvals > entries) goto errout;
       dim--;
     }
-    if(partvals < entries) goto errout;
+    info->partvals = partvals;
   }
 
   return(info);
@@ -668,7 +672,7 @@ static int _01inverse(vorbis_block *vb,vorbis_look_residue *vl,
           for(j=0;j<ch;j++){
             int temp=vorbis_book_decode(look->phrasebook,&vb->opb);
 
-            if(temp==-1)goto eopbreak;
+            if(temp==-1 || temp>=info->partvals)goto eopbreak;
             partword[j][l]=look->decodemap[temp];
             if(partword[j][l]==NULL)goto errout;
           }
@@ -884,7 +888,7 @@ int res2_inverse(vorbis_block *vb,vorbis_look_residue *vl,
         if(s==0){
           /* fetch the partition word */
           int temp=vorbis_book_decode(look->phrasebook,&vb->opb);
-          if(temp==-1)goto eopbreak;
+          if(temp==-1 || temp>info->partvals)goto eopbreak;
           partword[l]=look->decodemap[temp];
           if(partword[l]==NULL)goto errout;
         }