Some parameters do not get used, or only when certain config
defines are set. Explicitly mark them as unused to make compilers
happy.
Fixes issue #396.
This is definitely unnecessary, or at least I can't find anything
in the Vorbis spec that would indicate anything special happening
here.
Fixes issue #816.
When start_decoder() fails it may already have allocated memory
for .vendor and/or .comment_list. Call vorbis_deinit() to free
any allocated memory.
Fixes issue #1051.
Not an actual bug, it just looked wonky, but this code runs
with code lengths that are verified to be in range (<32) by
the length-reading code. Anyway.
Fixes issue #901.
I propose to remove this line because f->valid_bits will never be less than zero since, in the while loop, you're adding 8 to it. Therefore, it will always evaluate to false. This is to help remove redundant code.
The eliminated code removes the (ch == 1) branch, which is scoped
within this if condition: `if (rtype == 2 && ch != 1)`, therefore
the (ch == 1) branch will never be taken.
Fixes#842.
In the call to decode_residue:
decode_residue(f, residue_buffers, ch, n2, r, do_not_decode);
The channel count is previously intialized as zero and incremented
based on a for-loop (f->channels) plus a conditional,
if (map->chan[j].mux == i). If this doesn't happen then 'ch'
remains zero.
Once inside decode_residue(..), the code has three branches based
on channel count: stereo (ch == 2), mono (ch == 1), and then the
exception if it's neither of those (simple 'else'). It's in here
where a zero-valued 'ch' can be used as the denominator in these
calculations:
int c_inter = z % ch
p_inter = z/ch;
Obviously this 'else' branch is meant for channel counts greater
than two an not for zero channels; so this change simply makes
that branch only valid if (ch > 2).
CVE-2019-13217: heap buffer overflow in start_decoder()
CVE-2019-13218: stack buffer overflow in compute_codewords()
CVE-2019-13219: uninitialized memory in vorbis_decode_packet_rest()
CVE-2019-13220: out-of-range read in draw_line()
CVE-2019-13221: issue with large 1D codebooks in lookup1_values()
CVE-2019-13222: unchecked NULL returned by get_window()
CVE-2019-13223: division by zero in predict_point()
