From c761e218422b7f656635466fea013d9b4ba686f3 Mon Sep 17 00:00:00 2001 From: Tim Terriberry Date: Wed, 7 Jan 2015 03:16:56 +0000 Subject: [PATCH] Reject multiple headers of the same type. A common application pattern is to call vorbis_synthesis_headerin() and count how many times it succeeds. If you feed it multiple valid comment headers, they will all succeed, meaning you can be fooled into think you have a valid Vorbis file despite never seeing a setup header. This patch makes libvorbis reject multiple headers of the same type, preventing this from occurring. svn path=/trunk/vorbis/; revision=19426 --- lib/info.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/lib/info.c b/lib/info.c index 56ca386..fed4582 100644 --- a/lib/info.c +++ b/lib/info.c @@ -272,7 +272,6 @@ static int _vorbis_unpack_comment(vorbis_comment *vc,oggpack_buffer *opb){ static int _vorbis_unpack_books(vorbis_info *vi,oggpack_buffer *opb){ codec_setup_info *ci=vi->codec_setup; int i; - if(!ci)return(OV_EFAULT); /* codebooks */ ci->books=oggpack_read(opb,8)+1; @@ -411,6 +410,10 @@ int vorbis_synthesis_headerin(vorbis_info *vi,vorbis_comment *vc,ogg_packet *op) /* um... we didn't get the initial header */ return(OV_EBADHEADER); } + if(vc->vendor!=NULL){ + /* previously initialized comment header */ + return(OV_EBADHEADER); + } return(_vorbis_unpack_comment(vc,&opb)); @@ -419,6 +422,14 @@ int vorbis_synthesis_headerin(vorbis_info *vi,vorbis_comment *vc,ogg_packet *op) /* um... we didn;t get the initial header or comments yet */ return(OV_EBADHEADER); } + if(vi->codec_setup==NULL){ + /* improperly initialized vorbis_info */ + return(OV_EFAULT); + } + if(((codec_setup_info *)vi->codec_setup)->books>0){ + /* previously initialized setup header */ + return(OV_EBADHEADER); + } return(_vorbis_unpack_books(vi,&opb)); -- 2.7.4