Traneptora/FFmpeg
1
Fork 0
forked from FFmpeg/FFmpeg
Code Pull requests Activity

vorbis: An additional defense in the Vorbis codec.

Browse source 
Fixes Bug: #190
Chromium Bug: #100543
Related to CVE-2011-3893

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This commit is contained in:
Chris Evans 2012-01-05 21:25:41 +01:00 committed by Reinhard Tartler
parent e6d527ff72
commit afb2aa5379
1 changed files with 27 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
libavcodec/vorbisdec.c
View file

@ -1281,6 +1281,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
uint8_t *do_not_decode, uint8_t *do_not_decode,
float *vec, float *vec,
unsigned vlen, unsigned vlen,
unsigned ch_left,
int vr_type) int vr_type)
{ {
GetBitContext *gb = &vc->gb; GetBitContext *gb = &vc->gb;
@ -1288,6 +1289,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
unsigned ptns_to_read = vr->ptns_to_read; unsigned ptns_to_read = vr->ptns_to_read;
uint8_t *classifs = vr->classifs; uint8_t *classifs = vr->classifs;
unsigned pass, ch_used, i, j, k, l; unsigned pass, ch_used, i, j, k, l;
unsigned max_output = (ch - 1) * vlen;
if (vr_type == 2) { if (vr_type == 2) {
for (j = 1; j < ch; ++j) for (j = 1; j < ch; ++j)
@ -1295,8 +1297,15 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
if (do_not_decode[0]) if (do_not_decode[0])
return 0; return 0;
ch_used = 1; ch_used = 1;
max_output += vr->end / ch;
} else { } else {
ch_used = ch; ch_used = ch;
max_output += vr->end;
}
if (max_output > ch_left * vlen) {
av_log(vc->avccontext, AV_LOG_ERROR, "Insufficient output buffer\n");
return -1;
} }
av_dlog(NULL, " residue type 0/1/2 decode begin, ch: %d cpc %d \n", ch, c_p_c); av_dlog(NULL, " residue type 0/1/2 decode begin, ch: %d cpc %d \n", ch, c_p_c);
@ -1423,14 +1432,15 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
static inline int vorbis_residue_decode(vorbis_context *vc, vorbis_residue *vr, static inline int vorbis_residue_decode(vorbis_context *vc, vorbis_residue *vr,
unsigned ch, unsigned ch,
uint8_t *do_not_decode, uint8_t *do_not_decode,
float *vec, unsigned vlen) float *vec, unsigned vlen,
unsigned ch_left)
{ {
if (vr->type == 2) if (vr->type == 2)
return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 2); return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 2);
else if (vr->type == 1) else if (vr->type == 1)
return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 1); return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 1);
else if (vr->type == 0) else if (vr->type == 0)
return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, 0); return vorbis_residue_decode_internal(vc, vr, ch, do_not_decode, vec, vlen, ch_left, 0);
else { else {
av_log(vc->avccontext, AV_LOG_ERROR, " Invalid residue type while residue decode?! \n"); av_log(vc->avccontext, AV_LOG_ERROR, " Invalid residue type while residue decode?! \n");
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
@ -1478,7 +1488,8 @@ static int vorbis_parse_audio_packet(vorbis_context *vc)
uint8_t res_chan[255]; uint8_t res_chan[255];
unsigned res_num = 0; unsigned res_num = 0;
int retlen = 0; int retlen = 0;
int ch_left = vc->audio_channels; unsigned ch_left = vc->audio_channels;
unsigned vlen;
if (get_bits1(gb)) { if (get_bits1(gb)) {
av_log(vc->avccontext, AV_LOG_ERROR, "Not a Vorbis I audio packet.\n"); av_log(vc->avccontext, AV_LOG_ERROR, "Not a Vorbis I audio packet.\n");
@ -1498,11 +1509,12 @@ static int vorbis_parse_audio_packet(vorbis_context *vc)
blockflag = vc->modes[mode_number].blockflag; blockflag = vc->modes[mode_number].blockflag;
blocksize = vc->blocksize[blockflag]; blocksize = vc->blocksize[blockflag];
vlen = blocksize / 2;
if (blockflag) if (blockflag)
skip_bits(gb, 2); // previous_window, next_window skip_bits(gb, 2); // previous_window, next_window
memset(ch_res_ptr, 0, sizeof(float) * vc->audio_channels * blocksize / 2); //FIXME can this be removed ? memset(ch_res_ptr, 0, sizeof(float) * vc->audio_channels * vlen); //FIXME can this be removed ?
memset(ch_floor_ptr, 0, sizeof(float) * vc->audio_channels * blocksize / 2); //FIXME can this be removed ? memset(ch_floor_ptr, 0, sizeof(float) * vc->audio_channels * vlen); //FIXME can this be removed ?
// Decode floor // Decode floor
@ -1522,7 +1534,7 @@ static int vorbis_parse_audio_packet(vorbis_context *vc)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
no_residue[i] = ret; no_residue[i] = ret;
ch_floor_ptr += blocksize / 2; ch_floor_ptr += vlen;
} }
// Nonzero vector propagate // Nonzero vector propagate
@ -1539,6 +1551,7 @@ static int vorbis_parse_audio_packet(vorbis_context *vc)
for (i = 0; i < mapping->submaps; ++i) { for (i = 0; i < mapping->submaps; ++i) {
vorbis_residue *residue; vorbis_residue *residue;
unsigned ch = 0; unsigned ch = 0;
int ret;
for (j = 0; j < vc->audio_channels; ++j) { for (j = 0; j < vc->audio_channels; ++j) {
if ((mapping->submaps == 1) || (i == mapping->mux[j])) { if ((mapping->submaps == 1) || (i == mapping->mux[j])) {
@ -1557,9 +1570,13 @@ static int vorbis_parse_audio_packet(vorbis_context *vc)
av_log(vc->avccontext, AV_LOG_ERROR, "Too many channels in vorbis_floor_decode.\n"); av_log(vc->avccontext, AV_LOG_ERROR, "Too many channels in vorbis_floor_decode.\n");
return -1; return -1;
} }
vorbis_residue_decode(vc, residue, ch, do_not_decode, ch_res_ptr, blocksize/2); if (ch) {
ret = vorbis_residue_decode(vc, residue, ch, do_not_decode, ch_res_ptr, vlen, ch_left);
if (ret < 0)
return ret;
}
ch_res_ptr += ch * blocksize / 2; ch_res_ptr += ch * vlen;
ch_left -= ch; ch_left -= ch;
} }