diff options
author | Chris Evans <cevans@chromium.org> | 2012-01-05 21:25:41 +0100 |
---|---|---|
committer | Reinhard Tartler <siretart@tauware.de> | 2012-01-06 19:58:22 +0100 |
commit | 57cd6d709565e84e84385f8f2a9641ca3fa718be (patch) | |
tree | 3365c49a461f539c01f76dfee034034e9aa96abe | |
parent | f86209b43de91e84675f7d1be6a1572ecccb2110 (diff) | |
download | ffmpeg-57cd6d709565e84e84385f8f2a9641ca3fa718be.tar.gz |
vorbis: Avoid some out-of-bounds reads
Fixes Bug: #190
Chromium Bug: #100543
Related to CVE-2011-3893
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
-rw-r--r-- | libavcodec/vorbis.c | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c index 86df2886f2..0b26870421 100644 --- a/libavcodec/vorbis.c +++ b/libavcodec/vorbis.c @@ -152,7 +152,7 @@ void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values) } } -static inline void render_line_unrolled(intptr_t x, intptr_t y, int x1, +static inline void render_line_unrolled(intptr_t x, uint8_t y, int x1, intptr_t sy, int ady, int adx, float *buf) { @@ -175,7 +175,7 @@ static inline void render_line_unrolled(intptr_t x, intptr_t y, int x1, } } -static void render_line(int x0, int y0, int x1, int y1, float *buf) +static void render_line(int x0, uint8_t y0, int x1, int y1, float *buf) { int dy = y1 - y0; int adx = x1 - x0; @@ -185,10 +185,10 @@ static void render_line(int x0, int y0, int x1, int y1, float *buf) if (ady*2 <= adx) { // optimized common case render_line_unrolled(x0, y0, x1, sy, ady, adx, buf); } else { - int base = dy / adx; - int x = x0; - int y = y0; - int err = -adx; + int base = dy / adx; + int x = x0; + uint8_t y = y0; + int err = -adx; ady -= FFABS(base) * adx; while (++x < x1) { y += base; @@ -206,7 +206,8 @@ void ff_vorbis_floor1_render_list(vorbis_floor1_entry * list, int values, uint16_t *y_list, int *flag, int multiplier, float *out, int samples) { - int lx, ly, i; + int lx, i; + uint8_t ly; lx = 0; ly = y_list[0] * multiplier; for (i = 1; i < values; i++) { |