Description: fix denial of service and possible code execution via
 crafted WebM file
Origin: upstream, http://git.videolan.org/?p=ffmpeg.git;a=commit;h=5e3d023702587c137ac0a725d601d26a8978a125
Bug: https://roundup.ffmpeg.org/issue2548
Bug: https://roundup.ffmpeg.org/issue2550
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610550

diff -Nur ffmpeg-0.6/libavcodec/vorbis_dec.c ffmpeg-0.6.new/libavcodec/vorbis_dec.c
--- ffmpeg-0.6/libavcodec/vorbis_dec.c	2011-03-31 10:37:33.642468371 -0400
+++ ffmpeg-0.6.new/libavcodec/vorbis_dec.c	2011-03-31 10:37:38.402468370 -0400
@@ -477,6 +477,7 @@
         if (floor_setup->floor_type == 1) {
             uint_fast8_t  maximum_class = 0;
             uint_fast8_t  rangebits;
+            uint_fast32_t rangemax;
             uint_fast16_t floor1_values = 2;
 
             floor_setup->decode = vorbis_floor1_decode;
@@ -530,8 +531,15 @@
 
 
             rangebits = get_bits(gb, 4);
+            rangemax = (1 << rangebits);
+            if (rangemax > vc->blocksize[1] / 2) {
+                av_log(vc->avccontext, AV_LOG_ERROR,
+                       "Floor value is too large for blocksize: %d (%d)\n",
+                       rangemax, vc->blocksize[1] / 2);
+                return -1;
+            }
             floor_setup->data.t1.list[0].x = 0;
-            floor_setup->data.t1.list[1].x = (1 << rangebits);
+            floor_setup->data.t1.list[1].x = rangemax;
 
             for (j = 0; j < floor_setup->data.t1.partitions; ++j) {
                 for (k = 0; k < floor_setup->data.t1.class_dimensions[floor_setup->data.t1.partition_class[j]]; ++k, ++floor1_values) {