From 2c16bf2de07c68513072bf3cc96401d2c6291a3e Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Fri, 11 Jan 2013 00:54:12 +0100
Subject: [PATCH] vorbisdec: Check bark_map_size.

This fixes potential divisions by zero and out of array accesses.

Reported-by: Dale Curtis <dalecurtis@chromium.org>
Found-by: inferno@chromium.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/vorbisdec.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c
index 45096322f7..5c072e677b 100644
--- a/libavcodec/vorbisdec.c
+++ b/libavcodec/vorbisdec.c
@@ -597,6 +597,10 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc)
                        "Floor 0 amplitude bits is 0.\n");
                 return AVERROR_INVALIDDATA;
             }
+            if (floor_setup->data.t0.bark_map_size == 0) {
+                av_log(vc->avccontext, AV_LOG_ERROR, "Floor 0 bark map size is 0.\n");
+                return AVERROR_INVALIDDATA;
+            }
             floor_setup->data.t0.amplitude_offset = get_bits(gb, 8);
             floor_setup->data.t0.num_books        = get_bits(gb, 4) + 1;