Skip to content
Permalink
Browse files

Fix heap overflow access in vorbis decoder with specially crafted ogg…

… file, fixes #591 (Thanks khang06)
  • Loading branch information...
UnknownShadow200 committed Jun 13, 2019
1 parent ad314a5 commit 9ac97942c20b834718794b3ed43b837cf48128eb
Showing with 5 additions and 6 deletions.
  1. +5 −6 src/Vorbis.c
@@ -313,17 +313,16 @@ static ReturnCode Codebook_DecodeSetup(struct VorbisState* ctx, struct Codebook*
}
} else {
len = Vorbis_ReadBits(ctx, 5) + 1;
for (entry = 0; entry < c->Entries; entry += runLen) {
for (entry = 0; entry < c->Entries;) {
runBits = iLog(c->Entries - entry);
runLen = Vorbis_ReadBits(ctx, runBits);

for (i = entry; i < entry + runLen; i++) {
codewordLens[i] = len;
}
/* handle corrupted ogg files */
if (entry + runLen > c->Entries) return VORBIS_ERR_CODEBOOK_ENTRY;

for (i = 0; i < runLen; i++) { codewordLens[entry++] = len; }
c->NumCodewords[len++] = runLen;
if (entry > c->Entries) return VORBIS_ERR_CODEBOOK_ENTRY;
}
entry = c->Entries;
}

c->TotalCodewords = entry;

0 comments on commit 9ac9794

Please sign in to comment.
You can’t perform that action at this time.