Check submap indexes.

10_vorbis_submap_indexes.patch by chrome.
Iam applying this even though reimar had some comments to improve it as it fixes
a serious security issue and i do not want to leave such things unfixed.

git-svn-id: file:///var/local/repositories/ffmpeg/trunk@20001 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b

diff --git a/libavcodec/vorbis_dec.c b/libavcodec/vorbis_dec.c
index 2152f5fed041b09657c41247f2365bd0e1f4abd9..ed4dace554adc59818ab814fe1d18d36603a6bd6 100644 (file)
--- a/libavcodec/vorbis_dec.c
+++ b/libavcodec/vorbis_dec.c
@@ -752,9 +752,20 @@ static int vorbis_parse_setup_hdr_mappings(vorbis_context *vc) {
         }
 
         for(j=0;j<mapping_setup->submaps;++j) {
+            int bits;
             skip_bits(gb, 8); // FIXME check?
-            mapping_setup->submap_floor[j]=get_bits(gb, 8);
-            mapping_setup->submap_residue[j]=get_bits(gb, 8);
+            bits=get_bits(gb, 8);
+            if (bits>=vc->floor_count) {
+                av_log(vc->avccontext, AV_LOG_ERROR, "submap floor value %d out of range. \n", bits);
+                return -1;
+            }
+            mapping_setup->submap_floor[j]=bits;
+            bits=get_bits(gb, 8);
+            if (bits>=vc->residue_count) {
+                av_log(vc->avccontext, AV_LOG_ERROR, "submap residue value %d out of range. \n", bits);
+                return -1;
+            }
+            mapping_setup->submap_residue[j]=bits;
 
             AV_DEBUG("   %d mapping %d submap : floor %d, residue %d \n", i, j, mapping_setup->submap_floor[j], mapping_setup->submap_residue[j]);
         }