From b0ef1bc41dcd5690c2df1e2e9df15c695daa39e3 Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Thu, 14 May 2015 10:22:40 -0700 Subject: Add sanity checks to fix crash Copy Huffman tree sanity check from libvorbis to avoid out of bounds memory access later on. Bug: 21048776 Change-Id: I3c508572501af188af4224e2a295e9f2554ec9c0 (cherry picked from commit 52193fa3472b79873e73044ce02e1c0a67c85043) Tested-by: Wolfgang Wiedmeyer --- Tremolo/codebook.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/Tremolo/codebook.c b/Tremolo/codebook.c index 0b596ee..0d34f56 100644 --- a/Tremolo/codebook.c +++ b/Tremolo/codebook.c @@ -210,6 +210,20 @@ static int _make_words(char *l,long n,ogg_uint32_t *r,long quantvals, } } + // following sanity check copied from libvorbis + /* sanity check the huffman tree; an underpopulated tree must be + rejected. The only exception is the one-node pseudo-nil tree, + which appears to be underpopulated because the tree doesn't + really exist; there's only one possible 'codeword' or zero bits, + but the above tree-gen code doesn't mark that. */ + if(b->used_entries != 1){ + for(i=1;i<33;i++) + if(marker[i] & (0xffffffffUL>>(32-i))){ + return 1; + } + } + + return 0; } -- cgit v1.1