# HG changeset patch
# User Ryan C. Gordon <icculus@icculus.org>
# Date 1207943710 0
# Node ID 61a317171ef0de5d10ab9bd0630350d866b9e963
# Parent  50bb9a6cebfe8a28f9aacf712ff0671254e4c26d
Merge r536:537 from trunk: Speex bogus data check.

diff -r 50bb9a6cebfe -r 61a317171ef0 CHANGELOG
--- a/CHANGELOG	Mon Aug 06 09:44:02 2007 +0000
+++ b/CHANGELOG	Fri Apr 11 19:55:10 2008 +0000
@@ -2,6 +2,7 @@
  * CHANGELOG.
  */
 
+04112008 - Check if Speex header has bogus data (CVE-2008-1686).
 08062007 - Updated my email address.
 07152007 - Minor correction in Timidity resampling code (Thanks, Sam!).
 07062007 - Fixed uninitialized buffer in mpglib. (Thanks, Phil!).
diff -r 50bb9a6cebfe -r 61a317171ef0 decoders/speex.c
--- a/decoders/speex.c	Mon Aug 06 09:44:02 2007 +0000
+++ b/decoders/speex.c	Fri Apr 11 19:55:10 2008 +0000
@@ -136,6 +136,7 @@
     free(hptr);  /* lame that this forces you to malloc... */
 
     BAIL_IF_MACRO(header.mode >= SPEEX_NB_MODES, "SPEEX: Unknown mode", 0);
+    BAIL_IF_MACRO(header.mode < 0, "SPEEX: Unknown mode", 0);
     mode = speex_mode_list[header.mode];
     BAIL_IF_MACRO(header.speex_version_id > 1, "SPEEX: Unknown version", 0);
     BAIL_IF_MACRO(mode->bitstream_version < header.mode_bitstream_version,