aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChris Evans <cevans@chromium.org>2012-01-05 21:25:41 +0100
committerReinhard Tartler <siretart@tauware.de>2012-01-06 19:58:22 +0100
commit57cd6d709565e84e84385f8f2a9641ca3fa718be (patch)
tree3365c49a461f539c01f76dfee034034e9aa96abe
parentf86209b43de91e84675f7d1be6a1572ecccb2110 (diff)
downloadffmpeg-57cd6d709565e84e84385f8f2a9641ca3fa718be.tar.gz
vorbis: Avoid some out-of-bounds reads
Fixes Bug: #190 Chromium Bug: #100543 Related to CVE-2011-3893 Signed-off-by: Reinhard Tartler <siretart@tauware.de>
-rw-r--r--libavcodec/vorbis.c15
1 files changed, 8 insertions, 7 deletions
diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c
index 86df2886f2..0b26870421 100644
--- a/libavcodec/vorbis.c
+++ b/libavcodec/vorbis.c
@@ -152,7 +152,7 @@ void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values)
}
}
-static inline void render_line_unrolled(intptr_t x, intptr_t y, int x1,
+static inline void render_line_unrolled(intptr_t x, uint8_t y, int x1,
intptr_t sy, int ady, int adx,
float *buf)
{
@@ -175,7 +175,7 @@ static inline void render_line_unrolled(intptr_t x, intptr_t y, int x1,
}
}
-static void render_line(int x0, int y0, int x1, int y1, float *buf)
+static void render_line(int x0, uint8_t y0, int x1, int y1, float *buf)
{
int dy = y1 - y0;
int adx = x1 - x0;
@@ -185,10 +185,10 @@ static void render_line(int x0, int y0, int x1, int y1, float *buf)
if (ady*2 <= adx) { // optimized common case
render_line_unrolled(x0, y0, x1, sy, ady, adx, buf);
} else {
- int base = dy / adx;
- int x = x0;
- int y = y0;
- int err = -adx;
+ int base = dy / adx;
+ int x = x0;
+ uint8_t y = y0;
+ int err = -adx;
ady -= FFABS(base) * adx;
while (++x < x1) {
y += base;
@@ -206,7 +206,8 @@ void ff_vorbis_floor1_render_list(vorbis_floor1_entry * list, int values,
uint16_t *y_list, int *flag,
int multiplier, float *out, int samples)
{
- int lx, ly, i;
+ int lx, i;
+ uint8_t ly;
lx = 0;
ly = y_list[0] * multiplier;
for (i = 1; i < values; i++) {