--- libavcodec/vorbis_dec.c.orig 2008-07-10 20:29:34.000000000 +0200
+++ libavcodec/vorbis_dec.c 2011-03-05 02:32:07.000000000 +0100
@@ -729,9 +729,20 @@ static int vorbis_parse_setup_hdr_mappin
}
for(j=0;j<mapping_setup->submaps;++j) {
+ int bits;
skip_bits(gb, 8); // FIXME check?
- mapping_setup->submap_floor[j]=get_bits(gb, 8);
- mapping_setup->submap_residue[j]=get_bits(gb, 8);
+ bits=get_bits(gb, 8);
+ if (bits>=vc->floor_count) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "submap floor value %d out of range. \n", bits);
+ return -1;
+ }
+ mapping_setup->submap_floor[j]=bits;
+ bits=get_bits(gb, 8);
+ if (bits>=vc->residue_count) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "submap residue value %d out of range. \n", bits);
+ return -1;
+ }
+ mapping_setup->submap_residue[j]=bits;
AV_DEBUG(" %d mapping %d submap : floor %d, residue %d \n", i, j, mapping_setup->submap_floor[j], mapping_setup->submap_residue[j]);
}
distrib
>
Mageia
>
1
>
i586
>
media
>
core-updates-src
>
by-pkgid
>
cc1449fd094f04e3bf58d09425996df5
>
files
>
33
