tremolo: Fix Index out of bounds in oggpack_look

Check on max decode length in vorbis_book_unpack Bug: 169829774 Test: POC in bug description Change-Id: I823372f748bccf0172a9c33ef7b8ba740fdfec66 (cherry picked from commit 4d3a20ad38b0b700a57397c4b576e2b5e29d6441)
author: Neelkamal Semwal <neelkamal.semwal@ittiam.com> 2020-10-16 09:41:32 +0530
committer: Ray Essick <essick@google.com> 2020-12-03 19:58:22 +0000
commit: cf5cb978c0b061bab479f52451f798d77107b27a (patch)
tree: de4523fbb0a4e2bd2a34abd73957f15232b21ecc
parent: 6a2e0ed259c13a68bef6f8a5acfe5daf81f20776 (diff)
download: tremolo-cf5cb978c0b061bab479f52451f798d77107b27a.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/Tremolo/codebook.c b/Tremolo/codebook.c
index 84721e7..43c4917 100644
--- a/Tremolo/codebook.c
+++ b/Tremolo/codebook.c
@@ -476,6 +476,7 @@ int vorbis_book_unpack(oggpack_buffer *opb,codebook *s){
       for(i=0;i<s->entries;){
         long num=oggpack_read(opb,_ilog(s->entries-i));
         if(num<0)goto _eofout;
+        if(length>32) goto _errout;
         for(j=0;j<num && i<s->entries;j++,i++)
           lengthlist[i]=(char)length;
         s->dec_maxlength=length;
author	Neelkamal Semwal <neelkamal.semwal@ittiam.com>	2020-10-16 09:41:32 +0530
committer	Ray Essick <essick@google.com>	2020-12-03 19:58:22 +0000
commit	cf5cb978c0b061bab479f52451f798d77107b27a (patch)
tree	de4523fbb0a4e2bd2a34abd73957f15232b21ecc
parent	6a2e0ed259c13a68bef6f8a5acfe5daf81f20776 (diff)
download	tremolo-cf5cb978c0b061bab479f52451f798d77107b27a.tar.gz