[FFmpeg-devel] [PATCH] avcodec/vorbisdec: Check for legal version, window and transform types

Tyler Jones tdjones879 at gmail.com
Mon Jul 24 01:33:36 EEST 2017 

Vorbis I specification requires that the version number as well as the
window and transform types in the setup header be equal to 0.

Signed-off-by: Tyler Jones <tdjones879 at gmail.com>
---
 libavcodec/vorbisdec.c | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c
index 2a4f482031..f9c3848c4e 100644
--- a/libavcodec/vorbisdec.c
+++ b/libavcodec/vorbisdec.c
@@ -898,8 +898,16 @@ static int vorbis_parse_setup_hdr_modes(vorbis_context *vc)
         vorbis_mode *mode_setup = &vc->modes[i];
 
         mode_setup->blockflag     = get_bits1(gb);
-        mode_setup->windowtype    = get_bits(gb, 16); //FIXME check
-        mode_setup->transformtype = get_bits(gb, 16); //FIXME check
+        mode_setup->windowtype    = get_bits(gb, 16);
+        if (mode_setup->windowtype) {
+            av_log(vc->avctx, AV_LOG_ERROR, "Invalid window type, must equal 0.\n");
+            return AVERROR_INVALIDDATA;
+        }
+        mode_setup->transformtype = get_bits(gb, 16);
+        if (mode_setup->transformtype) {
+            av_log(vc->avctx, AV_LOG_ERROR, "Invalid transform type, must equal 0.\n");
+            return AVERROR_INVALIDDATA;
+        }
         GET_VALIDATED_INDEX(mode_setup->mapping, 8, vc->mapping_count);
 
         ff_dlog(NULL, " %u mode: blockflag %d, windowtype %d, transformtype %d, mapping %d\n",
@@ -969,7 +977,11 @@ static int vorbis_parse_id_hdr(vorbis_context *vc)
         return AVERROR_INVALIDDATA;
     }
 
-    vc->version        = get_bits_long(gb, 32);    //FIXME check 0
+    vc->version        = get_bits_long(gb, 32);
+    if (vc->version) {
+        av_log(vc->avctx, AV_LOG_ERROR, "Invalid version number\n");
+        return AVERROR_INVALIDDATA;
+    }
     vc->audio_channels = get_bits(gb, 8);
     if (vc->audio_channels <= 0) {
         av_log(vc->avctx, AV_LOG_ERROR, "Invalid number of channels\n");
-- 
2.13.3

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20170723/72750b3d/attachment.sig>

More information about the ffmpeg-devel mailing list