[FFmpeg-devel] Neither vorbis_parse_setup_hdr_codebooks nor ff_vorbis_len2vlc verify data

Sun Jul 5 10:21:01 CEST 2009

On Sun, Jul 05, 2009 at 10:18:02AM +0200, Reimar D?ffinger wrote:
> Hello,
> sample is ogv/smclock.ogv.2.164.ogv from issue 1240.
> vorbis_parse_setup_hdr_codebooks can at least create values up to 33
> (get_bits(gb, 5)+1) in the bits array (I am unsure what is possible in
> the ordered case, looks like even higher values are possible).
> ff_vorbis_len2vlc which these values are then passed to on the other
> hand just assumes that the bits values are at most 32, otherwise it just
> writes beyond the exit_at_level and onto the stack, overwriting the
> return address.
> Since there is no documentation for the function the question is which
> is wrong? Should ff_vorbis_len2vlc have a check or should
> vorbis_parse_setup_hdr_codebooks?

Btw. this seems enough to "fix" ff_vorbis_len2vlc:
Index: vorbis.c
===================================================================

--- vorbis.c    (revision 19346)
+++ vorbis.c    (working copy)
@@ -63,6 +63,7 @@
     }
 
     codes[p]=0;
+    if (bits[p] > 32) return 1;
     for(i=0;i<bits[p];++i) {
         exit_at_level[i+1]=1<<i;
     }
@@ -79,6 +80,7 @@
     ++p;
 
     for(;p<num;++p) {
+        if (bits[p] > 32) return 1;
         if (bits[p]==0) continue;
         // find corresponding exit(node which the tree can grow further from)
         for(i=bits[p];i>0;--i) {

