[Ffmpeg-devel] Bugs in Vorbis decoder

[Oded Shimon]

2 bugs found in ffvorbis while working on my encoder. First one is simple, 
off-by-one, 0 is a valid codebook number, -1 isn't. Patch attached, I'll 
commit tommorrow if noone objects...

Second one is tougher - buffer overflow in vorbis.c:1304, an assumption 
that the size of the block is 'rangebits' in the floor, when rangebits is 
allowed by spec to be larger. The fix is to have the floor_decode function 
know the actual size of the buffer, and not go over it.

- ods15
-------------- next part --------------
Index: libavcodec/vorbis.c
===================================================================
--- libavcodec/vorbis.c	(revision 6260)
+++ libavcodec/vorbis.c	(working copy)
@@ -1186,7 +1186,7 @@
             AV_DEBUG("book %d Cbits %d cval %d  bits:%d \n", book, cbits, cval, get_bits_count(gb));
 
             cval=cval>>cbits;
-            if (book>0) {
+            if (book>-1) {
                 floor1_Y[offset+j]=get_vlc2(gb, vc->codebooks[book].vlc.table,
                 vc->codebooks[book].nb_bits, 3);
             } else {