AstralTransRocketries/ClassiCube
1
0
Fork 0
mirror of https://github.com/ClassiCube/ClassiCube.git synced 2025-09-18 03:55:19 -04:00
Code Issues Packages Projects Releases Wiki Activity

Fix heap overflow access in vorbis decoder with specially crafted ogg file, fixes #591 (Thanks khang06)

Browse Source
This commit is contained in:
UnknownShadow200 2019-06-13 11:52:21 +10:00
parent ad314a5c55
commit 9ac97942c2
1 changed files with 5 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/Vorbis.c
View File

@ -313,17 +313,16 @@ static ReturnCode Codebook_DecodeSetup(struct VorbisState* ctx, struct Codebook*
} }
} else { } else {
len = Vorbis_ReadBits(ctx, 5) + 1; len = Vorbis_ReadBits(ctx, 5) + 1;
for (entry = 0; entry < c->Entries; entry += runLen) { for (entry = 0; entry < c->Entries;) {
runBits = iLog(c->Entries - entry); runBits = iLog(c->Entries - entry);
runLen = Vorbis_ReadBits(ctx, runBits); runLen = Vorbis_ReadBits(ctx, runBits);
for (i = entry; i < entry + runLen; i++) { /* handle corrupted ogg files */
codewordLens[i] = len; if (entry + runLen > c->Entries) return VORBIS_ERR_CODEBOOK_ENTRY;
}
for (i = 0; i < runLen; i++) { codewordLens[entry++] = len; }
c->NumCodewords[len++] = runLen; c->NumCodewords[len++] = runLen;
if (entry > c->Entries) return VORBIS_ERR_CODEBOOK_ENTRY;
} }
entry = c->Entries;
} }
c->TotalCodewords = entry; c->TotalCodewords = entry;