- res_setup->begin=get_bits(gb, 24);
- res_setup->end=get_bits(gb, 24);
- res_setup->partition_size=get_bits(gb, 24)+1;
- res_setup->classifications=get_bits(gb, 6)+1;
- res_setup->classbook=get_bits(gb, 8);
+ res_setup->begin = get_bits(gb, 24);
+ res_setup->end = get_bits(gb, 24);
+ res_setup->partition_size = get_bits(gb, 24) + 1;
+ /* Validations to prevent a buffer overflow later. */
+ if (res_setup->begin>res_setup->end ||
+ res_setup->end > vc->avccontext->channels * vc->blocksize[1] / (res_setup->type == 2 ? 1 : 2) ||
+ (res_setup->end-res_setup->begin) / res_setup->partition_size > V_MAX_PARTITIONS) {
+ av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %"PRIdFAST16", %"PRIdFAST32", %"PRIdFAST32", %u, %"PRIdFAST32"\n", res_setup->type, res_setup->begin, res_setup->end, res_setup->partition_size, vc->blocksize[1] / 2);
+ return -1;
+ }
+
+ res_setup->classifications = get_bits(gb, 6) + 1;
+ GET_VALIDATED_INDEX(res_setup->classbook, 8, vc->codebook_count)
+
+ res_setup->ptns_to_read =
+ (res_setup->end - res_setup->begin) / res_setup->partition_size;
+ res_setup->classifs = av_malloc(res_setup->ptns_to_read *
+ vc->audio_channels *
+ sizeof(*res_setup->classifs));
+ if (!res_setup->classifs)
+ return AVERROR(ENOMEM);