# HG changeset patch
# User Ryan C. Gordon <icculus@icculus.org>
# Date 1207943637 0
# Node ID b5ddeebce808a8f4c4b8a67e98939fe1cf070069
# Parent  2df1f5c62d387a55cc1c65a3a01430892a466610
Check if Speex header has bogus data (CVE-2008-1686).

diff -r 2df1f5c62d38 -r b5ddeebce808 CHANGELOG
--- a/CHANGELOG	Mon Aug 06 09:44:02 2007 +0000
+++ b/CHANGELOG	Fri Apr 11 19:53:57 2008 +0000
@@ -2,6 +2,7 @@
  * CHANGELOG.
  */
 
+04112008 - Check if Speex header has bogus data (CVE-2008-1686).
 08062007 - Updated my email address. Added -fvisibility=hidden support.
 07152007 - Minor correction in Timidity resampling code (Thanks, Sam!).
 07062007 - Fixed uninitialized buffer in mpglib. (Thanks, Phil!).
diff -r 2df1f5c62d38 -r b5ddeebce808 decoders/speex.c
--- a/decoders/speex.c	Mon Aug 06 09:44:02 2007 +0000
+++ b/decoders/speex.c	Fri Apr 11 19:53:57 2008 +0000
@@ -136,6 +136,7 @@
     free(hptr);  /* lame that this forces you to malloc... */
 
     BAIL_IF_MACRO(header.mode >= SPEEX_NB_MODES, "SPEEX: Unknown mode", 0);
+    BAIL_IF_MACRO(header.mode < 0, "SPEEX: Unknown mode", 0);
     mode = speex_mode_list[header.mode];
     BAIL_IF_MACRO(header.speex_version_id > 1, "SPEEX: Unknown version", 0);
     BAIL_IF_MACRO(mode->bitstream_version < header.mode_bitstream_version,