From: Michael Niedermayer <[email protected]> The value is used to calculate output LSP curve and a division by zero and out of array accesses would occur.
Reported-by: Dale Curtis <[email protected]> Found-by: [email protected] Signed-off-by: Michael Niedermayer <[email protected]> Signed-off-by: Luca Barbato <[email protected]> --- While looking at the specification, nothing in the spec prevents a really greedy encoder from assuming get_bits(0) == 0 for the amplitude check. I do hope we won't ever get there. libavcodec/vorbisdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 158bd6f..600083b 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -586,6 +586,11 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) floor_setup->data.t0.order = get_bits(gb, 8); floor_setup->data.t0.rate = get_bits(gb, 16); floor_setup->data.t0.bark_map_size = get_bits(gb, 16); + if (floor_setup->data.t0.bark_map_size == 0) { + av_log(vc->avccontext, AV_LOG_ERROR, + "Floor 0 bark map size is 0.\n"); + return AVERROR_INVALIDDATA; + } floor_setup->data.t0.amplitude_bits = get_bits(gb, 6); /* zero would result in a div by zero later * * 2^0 - 1 == 0 */ -- 1.8.1.2 _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
