demux: ogg: fix int overflow when parsing daala header

7 months ago · dda21a9cd9
1 changed files with 6 additions and 13 deletions
--- a/modules/demux/ogg.c
+++ b/modules/demux/ogg.c
@ -2765,8 +2765,7 @@ static bool Ogg_ReadDaalaHeader( logical_stream_t *p_stream,
    oggpack_buffer opb;
    uint32_t i_timebase_numerator;
    uint32_t i_timebase_denominator;
-    int keyframe_granule_shift;
-    unsigned int i_keyframe_frequency_force;
+    int i_keyframe_granule_shift;
    uint8_t i_major;
    uint8_t i_minor;
    uint8_t i_subminor;
@ -2800,18 +2799,12 @@ static bool Ogg_ReadDaalaHeader( logical_stream_t *p_stream,

    oggpack_adv( &opb, 32 ); /* frame duration */

-    keyframe_granule_shift = oggpack_read( &opb, 8 );
-    keyframe_granule_shift = __MIN(keyframe_granule_shift, 31);
-    i_keyframe_frequency_force = 1u << keyframe_granule_shift;
-
    /* granule_shift = i_log( frequency_force -1 ) */
-    p_stream->i_granule_shift = 0;
-    i_keyframe_frequency_force--;
-    while( i_keyframe_frequency_force )
-    {
-        p_stream->i_granule_shift++;
-        i_keyframe_frequency_force >>= 1;
-    }
+    i_keyframe_granule_shift = oggpack_read( &opb, 8 );
+    if ( i_keyframe_granule_shift < 0 || i_keyframe_granule_shift > 31 )
+        return false;
+
+    p_stream->i_granule_shift = i_keyframe_granule_shift;

    i_version = i_major * 1000000 + i_minor * 1000 + i_subminor;
    VLC_UNUSED(i_version);