From feb7319a0415dd4a65a9746d1c0748aa4894c396 Mon Sep 17 00:00:00 2001
From: Nedeljko Babic <nbabic@mips.com>
Date: Tue, 27 Mar 2012 14:27:08 +0200
Subject: Additional codebook validity checks.

[Import part of the changes from Tremor (3b65200 2010-10-16)]
---
 codebook.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/codebook.c b/codebook.c
index cd9dc26..28071b6 100644
--- a/codebook.c
+++ b/codebook.c
@@ -422,7 +422,7 @@ int vorbis_book_unpack(oggpack_buffer *opb,codebook *s){
     /* ordered */
     {
       long length=oggpack_read(opb,5)+1;
-
+      if(length==0)goto _eofout;
       s->used_entries=s->entries;
       lengthlist=(char *)alloca(sizeof(*lengthlist)*s->entries);
       if (!lengthlist) goto _eofout;
@@ -430,8 +430,11 @@ int vorbis_book_unpack(oggpack_buffer *opb,codebook *s){
       for(i=0;i<s->entries;){
 	long num=oggpack_read(opb,_ilog(s->entries-i));
 	if(num<0)goto _eofout;
-	if(length>32)goto _errout;
-	for(j=0;j<num && i<s->entries;j++,i++)
+	if(length>32 || num>s->entries-i ||
+	   (num>0 && num-1>>(length>>1)>>((length+1)>>1))>0){
+	  goto _errout;
+	}
+	for(j=0;j<num;j++,i++)
 	  lengthlist[i]=(char)length;
 	s->dec_maxlength=length;
 	length++;
-- 
cgit v1.2.1