From ecf79c4d3e8baaf2f303278ef81db6f8407656bc Mon Sep 17 00:00:00 2001
From: Alex Converse <alex.converse@gmail.com>
Date: Mon, 4 Jun 2012 18:27:03 -0700
Subject: vorbis: Validate that the floor 1 X values contain no duplicates.

Duplicate values in this vector are explicitly banned by the Vorbis I spec
and cause divide-by-zero crashes later on.
---
 libavcodec/vorbisdec.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'libavcodec/vorbisdec.c')

diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c
index 36db356f27..3489b8f029 100644
--- a/libavcodec/vorbisdec.c
+++ b/libavcodec/vorbisdec.c
@@ -574,7 +574,11 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc)
             }
 
 // Precalculate order of x coordinates - needed for decode
-            ff_vorbis_ready_floor1_list(floor_setup->data.t1.list, floor_setup->data.t1.x_list_dim);
+            if (ff_vorbis_ready_floor1_list(vc->avccontext,
+                                            floor_setup->data.t1.list,
+                                            floor_setup->data.t1.x_list_dim)) {
+                return AVERROR_INVALIDDATA;
+            }
         } else if (floor_setup->floor_type == 0) {
             unsigned max_codebook_dim = 0;
 
-- 
cgit v1.2.3