From b0ef1bc41dcd5690c2df1e2e9df15c695daa39e3 Mon Sep 17 00:00:00 2001
From: Marco Nelissen <marcone@google.com>
Date: Thu, 14 May 2015 10:22:40 -0700
Subject: Add sanity checks to fix crash

Copy Huffman tree sanity check from libvorbis to avoid out of bounds memory
access later on.

Bug: 21048776
Change-Id: I3c508572501af188af4224e2a295e9f2554ec9c0
(cherry picked from commit 52193fa3472b79873e73044ce02e1c0a67c85043)
Tested-by: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>
---
 Tremolo/codebook.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/Tremolo/codebook.c b/Tremolo/codebook.c
index 0b596ee..0d34f56 100644
--- a/Tremolo/codebook.c
+++ b/Tremolo/codebook.c
@@ -210,6 +210,20 @@ static int _make_words(char *l,long n,ogg_uint32_t *r,long quantvals,
     }
   }
 
+  // following sanity check copied from libvorbis
+  /* sanity check the huffman tree; an underpopulated tree must be
+     rejected. The only exception is the one-node pseudo-nil tree,
+     which appears to be underpopulated because the tree doesn't
+     really exist; there's only one possible 'codeword' or zero bits,
+     but the above tree-gen code doesn't mark that. */
+  if(b->used_entries != 1){
+    for(i=1;i<33;i++)
+      if(marker[i] & (0xffffffffUL>>(32-i))){
+          return 1;
+      }
+  }
+
+
   return 0;
 }
 
-- 
cgit v1.1