Fix crash on corrupt input file (invalid mode index)

vorbis_packet_blocksize() crashes with a NULL pointer dereference,
if the "mode" index read from the packet is too large. Check this
immediately after reading the value and before accessing the mode
parameters. This crash potentially affects all users of libvorbisfile
and anyone else who calls vorbis_packet_blocksize() manually.

Patch by Martin Steghöfer <martin@steghoefer.eu>

Fixes #2140
Bug-Debian: https://bugs.debian.org/774516

svn path=/trunk/vorbis/; revision=19419

diff --git a/lib/synthesis.c b/lib/synthesis.c
index 6ed554d..0f2df63 100644 (file)
--- a/lib/synthesis.c
+++ b/lib/synthesis.c
@@ -164,7 +164,7 @@ long vorbis_packet_blocksize(vorbis_info *vi,ogg_packet *op){
     /* read our mode and pre/post windowsize */
     mode=oggpack_read(&opb,modebits);
   }
-  if(mode==-1)return(OV_EBADPACKET);
+  if(mode==-1 || !ci->mode_param[mode])return(OV_EBADPACKET);
   return(ci->blocksizes[ci->mode_param[mode]->blockflag]);
 }