summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNils Wallménius <nils@rockbox.org>2010-12-06 16:48:57 +0000
committerNils Wallménius <nils@rockbox.org>2010-12-06 16:48:57 +0000
commitbdf8a243fa0d2d33475ab8b7fd61d791dfcea94f (patch)
tree4ae98ed4bcfc4fcdc2014b76846b68367639e6b3
parent0d43bf6a88f6634ed7a132d5ac227a007649f57b (diff)
downloadrockbox-bdf8a243fa0d2d33475ab8b7fd61d791dfcea94f.tar.gz
rockbox-bdf8a243fa0d2d33475ab8b7fd61d791dfcea94f.tar.bz2
rockbox-bdf8a243fa0d2d33475ab8b7fd61d791dfcea94f.zip
libtremor: merge upstream revision 17513 'Add code to prevent heap attacks by exploiting dim==bignum and partition_codewords==partion_values^dim.'
git-svn-id: svn://svn.rockbox.org/rockbox/trunk@28747 a1c6a512-1295-4272-9138-f99709370657
-rw-r--r--apps/codecs/libtremor/res012.c14
1 files changed, 14 insertions, 0 deletions
diff --git a/apps/codecs/libtremor/res012.c b/apps/codecs/libtremor/res012.c
index a42660a065..9abe75aed2 100644
--- a/apps/codecs/libtremor/res012.c
+++ b/apps/codecs/libtremor/res012.c
@@ -112,6 +112,20 @@ static vorbis_info_residue *res0_unpack(vorbis_info *vi,oggpack_buffer *opb){
for(j=0;j<acc;j++)
if(info->booklist[j]>=ci->books)goto errout;
+ /* verify the phrasebook is not specifying an impossible or
+ inconsistent partitioning scheme. */
+ {
+ int entries = ci->book_param[info->groupbook]->entries;
+ int dim = ci->book_param[info->groupbook]->dim;
+ int partvals = 1;
+ while(dim>0){
+ partvals *= info->partitions;
+ if(partvals > entries) goto errout;
+ dim--;
+ }
+ if(partvals != entries) goto errout;
+ }
+
return(info);
errout:
res0_free_info(info);