fix a few crash bugs with invalid stb_vorbis files (reported by Philip Bennefall, found using a fuzz tester)

2015-09-03 11:16:19 -07:00 · 2015-09-03 11:16:19 -07:00 · a3d62dfec1
parent 7670656322
commit a3d62dfec1
2 changed files with 15 additions and 6 deletions
--- a/stb_vorbis.c
+++ b/stb_vorbis.c
@ -1053,7 +1053,7 @@ static int compute_codewords(Codebook *c, uint8 *len, int n, uint32 *values)
      // trivial to prove, but it seems true and the assert never
      // fires, so!
      while (z > 0 && !available[z]) --z;
-      if (z == 0) { assert(0); return FALSE; }
+      if (z == 0) { return FALSE; }
      res = available[z];
      available[z] = 0;
      add_entry(c, bit_reverse(res), i, m++, len[i], values);
@ -3138,7 +3138,8 @@ static int do_floor(vorb *f, Mapping *map, int i, int n, float *target, YTYPE *f
         {
            int hy = finalY[j] * g->floor1_multiplier;
            int hx = g->Xlist[j];
-            draw_line(target, lx,ly, hx,hy, n2);
+            if (lx != hx)
+               draw_line(target, lx,ly, hx,hy, n2);
            lx = hx, ly = hy;
         }
      }
@ -3430,9 +3431,15 @@ static int vorbis_decode_packet_rest(vorb *f, int *len, Mode *m, int left_start,
      f->current_loc_valid = TRUE;
      f->first_decode = FALSE;
   } else if (f->discard_samples_deferred) {
-      left_start += f->discard_samples_deferred;
-      *p_left = left_start;
-      f->discard_samples_deferred = 0;
+      if (f->discard_samples_deferred >= right_start - left_start) {
+         f->discard_samples_deferred -= (right_start - left_start);
+         left_start = right_start;
+         *p_left = left_start;
+      } else {
+         left_start += f->discard_samples_deferred;
+         *p_left = left_start;
+         f->discard_samples_deferred = 0;
+      }
   } else if (f->previous_length == 0 && f->current_loc_valid) {
      // we're recovering from a seek... that means we're going to discard
      // the samples from this packet even though we know our position from
@ -4182,7 +4189,7 @@ static void vorbis_deinit(stb_vorbis *p)
         setup_free(p, p->mapping[i].chan);
      setup_free(p, p->mapping);
   }
-   for (i=0; i < p->channels; ++i) {
+   for (i=0; i < p->channels && i < STB_VORBIS_MAX_CHANNELS; ++i) {
      setup_free(p, p->channel_buffers[i]);
      setup_free(p, p->previous_window[i]);
      #ifdef STB_VORBIS_NO_DEFER_FLOOR
--- a/tests/vorbseek/vorbseek.c
+++ b/tests/vorbseek/vorbseek.c
@ -85,6 +85,8 @@ int main(int argc, char **argv)
      unsigned int successes=0, attempts = 0;
      unsigned int num_samples = stb_vorbis_decode_filename(argv[j], &num_chan, &samprate, &output);

+      break;
+
      if (num_samples == 0xffffffff) {
         fprintf(stderr, "Error: couldn't open file or not vorbis file: %s\n", argv[j]);
         goto fail;