Second hunk from secrity fix from google.
authorFrank Barchard <fbarchard@google.com>
Sat, 15 Jan 2011 17:10:49 +0000 (17:10 +0000)
committerMichael Niedermayer <michaelni@gmx.at>
Sat, 15 Jan 2011 17:10:49 +0000 (17:10 +0000)
The hunk is not fully understood but it just makes a check tighter so its
safer for us to apply until it is fully understood.

Might fix issue 2550 (and Chrome issue 68115 and unknown CERT issues).
Our bugtracker issue though should stay open until this has been fully
investiagted

Patch by Frank Barchard, fbarchard at google

Originally committed as revision 26368 to svn://svn.ffmpeg.org/ffmpeg/trunk

libavcodec/vorbis_dec.c

index c2bde81..4e16c4a 100644 (file)
@@ -661,7 +661,7 @@ static int vorbis_parse_setup_hdr_residues(vorbis_context *vc)
         res_setup->partition_size = get_bits(gb, 24) + 1;
         /* Validations to prevent a buffer overflow later. */
         if (res_setup->begin>res_setup->end ||
-            res_setup->end > vc->avccontext->channels * vc->blocksize[1] / (res_setup->type == 2 ? 1 : 2) ||
+            res_setup->end > vc->avccontext->channels * vc->blocksize[1] / 2 ||
             (res_setup->end-res_setup->begin) / res_setup->partition_size > V_MAX_PARTITIONS) {
             av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %"PRIdFAST16", %"PRIdFAST32", %"PRIdFAST32", %u, %"PRIdFAST32"\n", res_setup->type, res_setup->begin, res_setup->end, res_setup->partition_size, vc->blocksize[1] / 2);
             return -1;