From 5e0efc22f8fa5aa3aaf36d7b6ed61aa718a488b7 Mon Sep 17 00:00:00 2001 From: Monty Date: Tue, 7 Jul 2009 23:18:05 +0000 Subject: [PATCH] Fix for Mozilla BZ #501279 Will need to review/patch Tremor as well, more thorough pattern review of unpacking in the face of incomplete header packets in progress in mainline as well. svn path=/trunk/vorbis/; revision=16218 --- lib/res0.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/lib/res0.c b/lib/res0.c index 48caa27..7bdde0e 100644 --- a/lib/res0.c +++ b/lib/res0.c @@ -208,16 +208,27 @@ vorbis_info_residue *res0_unpack(vorbis_info *vi,oggpack_buffer *opb){ info->partitions=oggpack_read(opb,6)+1; info->groupbook=oggpack_read(opb,8); + /* check for premature EOP */ + if(info->groupbook<0)goto errout; + for(j=0;jpartitions;j++){ int cascade=oggpack_read(opb,3); - if(oggpack_read(opb,1)) - cascade|=(oggpack_read(opb,5)<<3); + int cflag=oggpack_read(opb,1); + if(cflag<0) goto errout; + if(cflag){ + int c=oggpack_read(opb,5); + if(c<0) goto errout; + cascade|=(c<<3); + } info->secondstages[j]=cascade; acc+=icount(cascade); } - for(j=0;jbooklist[j]=oggpack_read(opb,8); + for(j=0;jbooklist[j]=book; + } if(info->groupbook>=ci->books)goto errout; for(j=0;j