[FFmpeg-cvslog] r21726 - in branches/0.5: . libavcodec/vorbis_dec.c

[siretart]

Author: siretart
Date: Tue Feb  9 20:49:28 2010
New Revision: 21726

Log:
Add checks for per-packet mode indexes and per-header mode mapping indexes.
12_vorbis_mode_indexes.patch by chrome
maybe exploitable

r19990 by michael

Modified:
   branches/0.5/   (props changed)
   branches/0.5/libavcodec/vorbis_dec.c

Modified: branches/0.5/libavcodec/vorbis_dec.c
==============================================================================
--- branches/0.5/libavcodec/vorbis_dec.c	Tue Feb  9 20:47:42 2010	(r21725)
+++ branches/0.5/libavcodec/vorbis_dec.c	Tue Feb  9 20:49:28 2010	(r21726)
@@ -798,7 +798,11 @@ static int vorbis_parse_setup_hdr_modes(
         mode_setup->blockflag=get_bits1(gb);
         mode_setup->windowtype=get_bits(gb, 16); //FIXME check
         mode_setup->transformtype=get_bits(gb, 16); //FIXME check
-        mode_setup->mapping=get_bits(gb, 8); //FIXME check
+        mode_setup->mapping=get_bits(gb, 8);
+        if (mode_setup->mapping>=vc->mapping_count) {
+            av_log(vc->avccontext, AV_LOG_ERROR, "mode mapping value %d out of range. \n", mode_setup->mapping);
+            return 1;
+        }
 
         AV_DEBUG(" %d mode: blockflag %d, windowtype %d, transformtype %d, mapping %d \n", i, mode_setup->blockflag, mode_setup->windowtype, mode_setup->transformtype, mode_setup->mapping);
     }
@@ -1458,6 +1462,10 @@ static int vorbis_parse_audio_packet(vor
     } else {
         mode_number=get_bits(gb, ilog(vc->mode_count-1));
     }
+    if (mode_number>=vc->mode_count) {
+        av_log(vc->avccontext, AV_LOG_ERROR, "mode number %d out of range.\n", mode_number);
+        return -1;
+    }
     vc->mode_number=mode_number;
     mapping=&vc->mappings[vc->modes[mode_number].mapping];