From 69a318bdb3bbaf7327a87bd18ec7d9b223091fe6 Mon Sep 17 00:00:00 2001 From: Sean Barrett Date: Sun, 8 Nov 2015 13:20:55 -0800 Subject: [PATCH] fix two invalid-file crashes found by fuzz testing --- stb_vorbis.c | 3 +++ tests/test_vorbis.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/stb_vorbis.c b/stb_vorbis.c index ac22315..d902894 100644 --- a/stb_vorbis.c +++ b/stb_vorbis.c @@ -3715,6 +3715,8 @@ static int start_decoder(vorb *f) ordered = get_bits(f,1); c->sparse = ordered ? 0 : get_bits(f,1); + if (c->dimensions == 0 && c->entries != 0) return error(f, VORBIS_invalid_setup); + if (c->sparse) lengths = (uint8 *) setup_temp_malloc(f, c->entries); else @@ -3998,6 +4000,7 @@ static int start_decoder(vorb *f) if (f->residue_types[i] > 2) return error(f, VORBIS_invalid_setup); r->begin = get_bits(f, 24); r->end = get_bits(f, 24); + if (r->end < r->begin) return error(f, VORBIS_invalid_setup); r->part_size = get_bits(f,24)+1; r->classifications = get_bits(f,6)+1; r->classbook = get_bits(f,8); diff --git a/tests/test_vorbis.c b/tests/test_vorbis.c index f24376d..0d0c0cf 100644 --- a/tests/test_vorbis.c +++ b/tests/test_vorbis.c @@ -8,7 +8,7 @@ extern void stb_vorbis_dumpmem(void); int main(int argc, char **argv) { size_t memlen; - unsigned char *mem = stb_fileu("c:/x/vorbis/1.ogg", &memlen); + unsigned char *mem = stb_fileu("c:/x/vorbis/4.ogg", &memlen); int chan, samplerate; short *output; int samples = stb_vorbis_decode_memory(mem, memlen, &chan, &samplerate, &output);