From: Helmut Grohne <helmut () subdivi de>
Subject: hcom: fix parsing of valid huffman dictionaries
Bug-Debian: https://bugs.debian.org/933372

This is a regression update for the fix applied for CVE-2017-11358.

--- a/src/hcom.c
+++ b/src/hcom.c
@@ -150,11 +150,24 @@
                 lsx_debug("%d %d",
                        p->dictionary[i].dict_leftson,
                        p->dictionary[i].dict_rightson);
-                if ((unsigned) p->dictionary[i].dict_leftson >= dictsize ||
-                    (unsigned) p->dictionary[i].dict_rightson >= dictsize) {
+                if (p->dictionary[i].dict_leftson < 0) {
+                        if (i == 0) {
+                                free(p->dictionary);
+                                p->dictionary = NULL;
+                                lsx_fail_errno(ft, SOX_EHDR, "Invalid dictionary: root node is leaf");
+                                return SOX_EOF;
+                        }
+                        if ((unsigned)p->dictionary[i].dict_rightson > 0xff) {
+                                free(p->dictionary);
+                                p->dictionary = NULL;
+                                lsx_fail_errno(ft, SOX_EHDR, "Invalid dictionary: invalid leaf value");
+                                return SOX_EOF;
+                        }
+                } else if ((unsigned) p->dictionary[i].dict_leftson >= dictsize ||
+                           (unsigned) p->dictionary[i].dict_rightson >= dictsize) {
                         free(p->dictionary);
                         p->dictionary = NULL;
-                        lsx_fail_errno(ft, SOX_EHDR, "Invalid dictionary");
+                        lsx_fail_errno(ft, SOX_EHDR, "Invalid dictionary: invalid branch node");
                         return SOX_EOF;
                 }
         }