From c632716b034f3374cdc2e710bbb847c4d65238db Mon Sep 17 00:00:00 2001 From: Monty Date: Sat, 12 Sep 2009 02:09:04 +0000 Subject: [PATCH] Modify fix for Trac #1572; some files from the earliest beta accidentally used an oversized phrasebook in res decode; allow these [technically corrept] files to play. The attack fix is still watertight, the check is simply made in a different way. svn path=/trunk/vorbis/; revision=16552 --- lib/backends.h | 1 + lib/modes/residue_44.h | 6 +++--- lib/modes/residue_44u.h | 6 +++--- lib/res0.c | 10 +++++++--- 4 files changed, 14 insertions(+), 9 deletions(-) diff --git a/lib/backends.h b/lib/backends.h index c6a638a..ecf1eca 100644 --- a/lib/backends.h +++ b/lib/backends.h @@ -109,6 +109,7 @@ typedef struct vorbis_info_residue0{ /* first stage (lossless partitioning) */ int grouping; /* group n vectors per partition */ int partitions; /* possible codebooks for a partition */ + int partvals; /* partitions ^ groupbook dim */ int groupbook; /* huffbook for partitioning */ int secondstages[64]; /* expanded out to pointers in lookup */ int booklist[512]; /* list of second stage books */ diff --git a/lib/modes/residue_44.h b/lib/modes/residue_44.h index 700d0fd..eb0e8e5 100644 --- a/lib/modes/residue_44.h +++ b/lib/modes/residue_44.h @@ -22,7 +22,7 @@ /***** residue backends *********************************************/ static const vorbis_info_residue0 _residue_44_low={ - 0,-1, -1, 9,-1, + 0,-1, -1, 9,-1,-1, /* 0 1 2 3 4 5 6 7 */ {0}, {-1}, @@ -31,7 +31,7 @@ static const vorbis_info_residue0 _residue_44_low={ }; static const vorbis_info_residue0 _residue_44_mid={ - 0,-1, -1, 10,-1, + 0,-1, -1, 10,-1,-1, /* 0 1 2 3 4 5 6 7 8 */ {0}, {-1}, @@ -40,7 +40,7 @@ static const vorbis_info_residue0 _residue_44_mid={ }; static const vorbis_info_residue0 _residue_44_high={ - 0,-1, -1, 10,-1, + 0,-1, -1, 10,-1,-1, /* 0 1 2 3 4 5 6 7 8 */ {0}, {-1}, diff --git a/lib/modes/residue_44u.h b/lib/modes/residue_44u.h index 4382633..90e0f23 100644 --- a/lib/modes/residue_44u.h +++ b/lib/modes/residue_44u.h @@ -23,7 +23,7 @@ static const vorbis_info_residue0 _residue_44_low_un={ - 0,-1, -1, 8,-1, + 0,-1, -1, 8,-1,-1, {0}, {-1}, { .5, 1.5, 1.5, 2.5, 2.5, 4.5, 28.5}, @@ -31,7 +31,7 @@ static const vorbis_info_residue0 _residue_44_low_un={ }; static const vorbis_info_residue0 _residue_44_mid_un={ - 0,-1, -1, 10,-1, + 0,-1, -1, 10,-1,-1, /* 0 1 2 3 4 5 6 7 8 9 */ {0}, {-1}, @@ -40,7 +40,7 @@ static const vorbis_info_residue0 _residue_44_mid_un={ }; static const vorbis_info_residue0 _residue_44_hi_un={ - 0,-1, -1, 10,-1, + 0,-1, -1, 10,-1,-1, /* 0 1 2 3 4 5 6 7 8 9 */ {0}, {-1}, diff --git a/lib/res0.c b/lib/res0.c index 59ab5fc..f1306a6 100644 --- a/lib/res0.c +++ b/lib/res0.c @@ -238,6 +238,10 @@ vorbis_info_residue *res0_unpack(vorbis_info *vi,oggpack_buffer *opb){ /* verify the phrasebook is not specifying an impossible or inconsistent partitioning scheme. */ + /* modify the phrasebook ranging check from r16327; an early beta + encoder had a bug where it used an oversized phrasebook by + accident. These files should continue to be playable, but don't + allow an exploit */ { int entries = ci->book_param[info->groupbook]->entries; int dim = ci->book_param[info->groupbook]->dim; @@ -247,7 +251,7 @@ vorbis_info_residue *res0_unpack(vorbis_info *vi,oggpack_buffer *opb){ if(partvals > entries) goto errout; dim--; } - if(partvals < entries) goto errout; + info->partvals = partvals; } return(info); @@ -668,7 +672,7 @@ static int _01inverse(vorbis_block *vb,vorbis_look_residue *vl, for(j=0;jphrasebook,&vb->opb); - if(temp==-1)goto eopbreak; + if(temp==-1 || temp>=info->partvals)goto eopbreak; partword[j][l]=look->decodemap[temp]; if(partword[j][l]==NULL)goto errout; } @@ -884,7 +888,7 @@ int res2_inverse(vorbis_block *vb,vorbis_look_residue *vl, if(s==0){ /* fetch the partition word */ int temp=vorbis_book_decode(look->phrasebook,&vb->opb); - if(temp==-1)goto eopbreak; + if(temp==-1 || temp>info->partvals)goto eopbreak; partword[l]=look->decodemap[temp]; if(partword[l]==NULL)goto errout; } -- 2.7.4