--- ffmpeg/libavcodec/vorbis_dec.c~ 2011-10-04 21:38:51.582577989 +0200
+++ ffmpeg/libavcodec/vorbis_dec.c 2011-10-04 21:38:51.600577863 +0200
@@ -483,6 +483,7 @@
if (floor_setup->floor_type == 1) {
int maximum_class = -1;
uint_fast8_t rangebits;
+ uint_fast32_t rangemax;
uint_fast16_t floor1_values = 2;
floor_setup->decode = vorbis_floor1_decode;
@@ -534,8 +535,15 @@
rangebits = get_bits(gb, 4);
+ rangemax = (1 << rangebits);
+ if (rangemax > vc->blocksize[1] / 2) {
+ av_log(vc->avccontext, AV_LOG_ERROR,
+ "Floor value is too large for blocksize: %d (%d)\n",
+ rangemax, vc->blocksize[1] / 2);
+ return -1;
+ }
floor_setup->data.t1.list[0].x = 0;
- floor_setup->data.t1.list[1].x = (1 << rangebits);
+ floor_setup->data.t1.list[1].x = rangemax;
for (j = 0; j < floor_setup->data.t1.partitions; ++j) {
for (k = 0; k < floor_setup->data.t1.class_dimensions[floor_setup->data.t1.partition_class[j]]; ++k, ++floor1_values) {
distrib
>
Mageia
>
1
>
i586
>
media
>
core-updates-src
>
by-pkgid
>
d1fb477caa7f6bc5a7b27792f1593567
>
files
>
24
