From: Google Chrome <>
Date: Wed, 23 Sep 2009 14:19:17 +0000 (+0000)
Subject: Check submap indexes.
X-Git-Tag: v0.6~3187
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=aedc98b0a4ee434aa54908b815f78a4c563c1d31;p=platform%2Fupstream%2Flibav.git

Check submap indexes.
10_vorbis_submap_indexes.patch by chrome.
I am applying this even though Reimar had some comments to improve it as it fixes
a serious security issue and I do not want to leave such things unfixed.

Originally committed as revision 20001 to svn://svn.ffmpeg.org/ffmpeg/trunk
---

diff --git a/libavcodec/vorbis_dec.c b/libavcodec/vorbis_dec.c
index 2152f5f..ed4dace 100644
--- a/libavcodec/vorbis_dec.c
+++ b/libavcodec/vorbis_dec.c
@@ -752,9 +752,20 @@ static int vorbis_parse_setup_hdr_mappings(vorbis_context *vc) {
         }
 
         for(j=0;j<mapping_setup->submaps;++j) {
+            int bits;
             skip_bits(gb, 8); // FIXME check?
-            mapping_setup->submap_floor[j]=get_bits(gb, 8);
-            mapping_setup->submap_residue[j]=get_bits(gb, 8);
+            bits=get_bits(gb, 8);
+            if (bits>=vc->floor_count) {
+                av_log(vc->avccontext, AV_LOG_ERROR, "submap floor value %d out of range. \n", bits);
+                return -1;
+            }
+            mapping_setup->submap_floor[j]=bits;
+            bits=get_bits(gb, 8);
+            if (bits>=vc->residue_count) {
+                av_log(vc->avccontext, AV_LOG_ERROR, "submap residue value %d out of range. \n", bits);
+                return -1;
+            }
+            mapping_setup->submap_residue[j]=bits;
 
             AV_DEBUG("   %d mapping %d submap : floor %d, residue %d \n", i, j, mapping_setup->submap_floor[j], mapping_setup->submap_residue[j]);
         }