vorbisdec: reject rangebits 0 with non-0 partitions
authorAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Sun, 3 Jan 2016 18:11:24 +0000 (19:11 +0100)
committerAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Wed, 27 Jan 2016 22:45:44 +0000 (23:45 +0100)
This causes non-unique elements in floor_setup->data.t1.list, which
makes the stream undecodable according to the specification.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit e7a7b3135a4e5ba4bd2e144444d95a7563f53e9b)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
libavcodec/vorbisdec.c

index 4dd47ac..225f1e9 100644 (file)
@@ -573,6 +573,11 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc)
                 return AVERROR(ENOMEM);
 
             rangebits = get_bits(gb, 4);
+            if (!rangebits && floor_setup->data.t1.partitions) {
+                av_log(vc->avctx, AV_LOG_ERROR,
+                       "A rangebits value of 0 is not compliant with the Vorbis I specification.\n");
+                return AVERROR_INVALIDDATA;
+            }
             rangemax = (1 << rangebits);
             if (rangemax > vc->blocksize[1] / 2) {
                 av_log(vc->avctx, AV_LOG_ERROR,