From 736e63edc88e7c5bd7db2ec00fc21b5c0d71d466 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A5ns=20Rullg=C3=A5rd?= <mans@mansr.com>
Date: Wed, 10 Oct 2007 22:59:36 +0000
Subject: [PATCH] check values more thoroughly in vorbis_header()

Originally committed as revision 10707 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavformat/oggparsevorbis.c | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c
index f134d6d6e7..4cbf8fe422 100644
--- a/libavformat/oggparsevorbis.c
+++ b/libavformat/oggparsevorbis.c
@@ -183,15 +183,32 @@ vorbis_header (AVFormatContext * s, int idx)
     priv->packet[os->seq] = av_mallocz(os->psize);
     memcpy(priv->packet[os->seq], os->buf + os->pstart, os->psize);
     if (os->buf[os->pstart] == 1) {
-        uint8_t *p = os->buf + os->pstart + 11; //skip up to the audio channels
+        uint8_t *p = os->buf + os->pstart + 7; /* skip "\001vorbis" tag */
+        unsigned blocksize, bs0, bs1;
 
         if (os->psize != 30)
             return -1;
 
+        if (bytestream_get_le32(&p) != 0) /* vorbis_version */
+            return -1;
+
         st->codec->channels = bytestream_get_byte(&p);
         st->codec->sample_rate = bytestream_get_le32(&p);
         p += 4; // skip maximum bitrate
         st->codec->bit_rate = bytestream_get_le32(&p); // nominal bitrate
+        p += 4; // skip minimum bitrate
+
+        blocksize = bytestream_get_byte(&p);
+        bs0 = blocksize & 15;
+        bs1 = blocksize >> 4;
+
+        if (bs0 > bs1)
+            return -1;
+        if (bs0 < 6 || bs1 > 13)
+            return -1;
+
+        if (bytestream_get_byte(&p) != 1) /* framing_flag */
+            return -1;
 
         st->codec->codec_type = CODEC_TYPE_AUDIO;
         st->codec->codec_id = CODEC_ID_VORBIS;