From ea88e59b5dd48bc2179dd7db537923f9edbba707 Mon Sep 17 00:00:00 2001 From: Sean Barrett Date: Sun, 8 Nov 2015 13:45:33 -0800 Subject: [PATCH] fix invalid handling of truncated end-of-file indicator --- stb_vorbis.c | 7 +++++-- tests/test_vorbis.c | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/stb_vorbis.c b/stb_vorbis.c index d902894..04f082e 100644 --- a/stb_vorbis.c +++ b/stb_vorbis.c @@ -906,7 +906,7 @@ static void *setup_malloc(vorb *f, int sz) static void setup_free(vorb *f, void *p) { - if (f->alloc.alloc_buffer) return; // do nothing; setup mem is not a stack + if (f->alloc.alloc_buffer) return; // do nothing; setup mem is a stack free(p); } @@ -3219,6 +3219,7 @@ static int vorbis_decode_initial(vorb *f, int *p_left_start, int *p_left_end, in *p_right_start = window_center; *p_right_end = n; } + return TRUE; } @@ -3457,7 +3458,7 @@ static int vorbis_decode_packet_rest(vorb *f, int *len, Mode *m, int left_start, if (f->current_loc_valid && (f->page_flag & PAGEFLAG_last_page)) { uint32 current_end = f->known_loc_for_packet - (n-right_end); // then let's infer the size of the (probably) short final frame - if (current_end < f->current_loc + right_end) { + if (current_end < f->current_loc + (right_end-left_start)) { if (current_end < f->current_loc) { // negative truncation, that's impossible! *len = 0; @@ -3465,6 +3466,7 @@ static int vorbis_decode_packet_rest(vorb *f, int *len, Mode *m, int left_start, *len = current_end - f->current_loc; } *len += left_start; + if (*len > right_end) *len = right_end; // this should never happen f->current_loc += *len; return TRUE; } @@ -3482,6 +3484,7 @@ static int vorbis_decode_packet_rest(vorb *f, int *len, Mode *m, int left_start, if (f->alloc.alloc_buffer) assert(f->alloc.alloc_buffer_length_in_bytes == f->temp_offset); *len = right_end; // ignore samples after the window goes to 0 + return TRUE; } diff --git a/tests/test_vorbis.c b/tests/test_vorbis.c index 0d0c0cf..74566da 100644 --- a/tests/test_vorbis.c +++ b/tests/test_vorbis.c @@ -8,7 +8,7 @@ extern void stb_vorbis_dumpmem(void); int main(int argc, char **argv) { size_t memlen; - unsigned char *mem = stb_fileu("c:/x/vorbis/4.ogg", &memlen); + unsigned char *mem = stb_fileu("c:/x/vorbis/5.ogg", &memlen); int chan, samplerate; short *output; int samples = stb_vorbis_decode_memory(mem, memlen, &chan, &samplerate, &output);