From bd9e4426b408d3a32ad0dcd6846586837a00bd89 Mon Sep 17 00:00:00 2001 From: Tim Terriberry Date: Sun, 4 Jan 2015 18:54:27 +0000 Subject: [PATCH] Fix crash on corrupt input file (invalid mode index) MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit vorbis_packet_blocksize() crashes with a NULL pointer dereference, if the "mode" index read from the packet is too large. Check this immediately after reading the value and before accessing the mode parameters. This crash potentially affects all users of libvorbisfile and anyone else who calls vorbis_packet_blocksize() manually. Patch by Martin Steghöfer Fixes #2140 Bug-Debian: https://bugs.debian.org/774516 svn path=/trunk/vorbis/; revision=19419 --- lib/synthesis.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/synthesis.c b/lib/synthesis.c index 6ed554d..0f2df63 100644 --- a/lib/synthesis.c +++ b/lib/synthesis.c @@ -164,7 +164,7 @@ long vorbis_packet_blocksize(vorbis_info *vi,ogg_packet *op){ /* read our mode and pre/post windowsize */ mode=oggpack_read(&opb,modebits); } - if(mode==-1)return(OV_EBADPACKET); + if(mode==-1 || !ci->mode_param[mode])return(OV_EBADPACKET); return(ci->blocksizes[ci->mode_param[mode]->blockflag]); } -- 2.7.4