Second hunk from secrity fix from google.

The hunk is not fully understood but it just makes a check tighter so its
safer for us to apply until it is fully understood.

Might fix issue 2550 (and Chrome issue 68115 and unknown CERT issues).
Our bugtracker issue though should stay open until this has been fully
investiagted

Patch by Frank Barchard, fbarchard at google

Originally committed as revision 26368 to svn://svn.ffmpeg.org/ffmpeg/trunk

diff --git a/libavcodec/vorbis_dec.c b/libavcodec/vorbis_dec.c
index c2bde812efca51ef09ed893a8a03f9bc0df2aa26..4e16c4a7bc580db5465b04b8ef613b419a39eefe 100644 (file)
--- a/libavcodec/vorbis_dec.c
+++ b/libavcodec/vorbis_dec.c
@@ -661,7 +661,7 @@ static int vorbis_parse_setup_hdr_residues(vorbis_context *vc)
         res_setup->partition_size = get_bits(gb, 24) + 1;
         /* Validations to prevent a buffer overflow later. */
         if (res_setup->begin>res_setup->end ||
-            res_setup->end > vc->avccontext->channels * vc->blocksize[1] / (res_setup->type == 2 ? 1 : 2) ||
+            res_setup->end > vc->avccontext->channels * vc->blocksize[1] / 2 ||
             (res_setup->end-res_setup->begin) / res_setup->partition_size > V_MAX_PARTITIONS) {
             av_log(vc->avccontext, AV_LOG_ERROR, "partition out of bounds: type, begin, end, size, blocksize: %"PRIdFAST16", %"PRIdFAST32", %"PRIdFAST32", %u, %"PRIdFAST32"\n", res_setup->type, res_setup->begin, res_setup->end, res_setup->partition_size, vc->blocksize[1] / 2);
             return -1;