From: Sejun Park <sejun79.park@samsung.com>
Date: Tue, 29 May 2018 00:49:33 +0000 (+0900)
Subject: [CVE-2018-10393] heap buffer overflow
X-Git-Tag: accepted/tizen/6.0/unified/20201030.105652~2
X-Git-Url: http://review.tizen.org/git/?p=platform%2Fupstream%2Flibvorbis.git;a=commitdiff_plain;h=62e9f6fa2ed7b1c4f60f7edbeb2ad378d281237c

[CVE-2018-10393] heap buffer overflow

Change-Id: I976da227a735780b01441f016c53b5f8ab4b9364
---

diff --git a/lib/codec_internal.h b/lib/codec_internal.h
index de1bcca..fab58d5 100644
--- a/lib/codec_internal.h
+++ b/lib/codec_internal.h
@@ -27,6 +27,7 @@
 #define BLOCKTYPE_LONG       1
 
 #define PACKETBLOBS 15
+#define MAX_CHANNEL 8
 
 typedef struct vorbis_block_internal{
   float  **pcmdelay;  /* this is a pointer into local storage */
diff --git a/lib/mapping0.c b/lib/mapping0.c
index 7d279a8..a4c0f6d 100644
--- a/lib/mapping0.c
+++ b/lib/mapping0.c
@@ -244,6 +244,8 @@ static int mapping0_forward(vorbis_block *vb){
   int                    n=vb->pcmend;
   int i,j,k;
 
+  if (vi->channels > MAX_CHANNEL || vi->channels < 0) return -1;
+
   int    *nonzero    = alloca(sizeof(*nonzero)*vi->channels);
   float  **gmdct     = _vorbis_block_alloc(vb,vi->channels*sizeof(*gmdct));
   int    **iwork      = _vorbis_block_alloc(vb,vi->channels*sizeof(*iwork));