aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2014-10-04 03:12:34 +0200
committerMichael Niedermayer <michaelni@gmx.at>2014-11-28 18:53:10 +0100
commit21808e2181800dabaadca695157ae8e391d6a2aa (patch)
tree8e62d0d7cdfb4515b66f33606c6d31819d43f7aa
parentbf2605c35610e76bb83175407927ffca226dd6fd (diff)
downloadffmpeg-21808e2181800dabaadca695157ae8e391d6a2aa.tar.gz
avcodec/vorbisdec: Fix off by 1 error in ptns_to_read
Fixes read of uninitialized memory Fixes: asan_heap-uaf_18dac2b_9_asan_heap-uaf_22eb375_208_beta3_test_small.ogg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 8c50704ebf1777bee76772c4835d9760b3721057) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r--libavcodec/vorbisdec.c12
1 files changed, 7 insertions, 5 deletions
diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c
index dfffc6f046..1221326561 100644
--- a/libavcodec/vorbisdec.c
+++ b/libavcodec/vorbisdec.c
@@ -1314,7 +1314,9 @@ static av_always_inline int setup_classifs(vorbis_context *vc,
vorbis_residue *vr,
uint8_t *do_not_decode,
unsigned ch_used,
- int partition_count)
+ int partition_count,
+ int ptns_to_read
+ )
{
int p, j, i;
unsigned c_p_c = vc->codebooks[vr->classbook].dimensions;
@@ -1336,7 +1338,7 @@ static av_always_inline int setup_classifs(vorbis_context *vc,
for (i = partition_count + c_p_c - 1; i >= partition_count; i--) {
temp2 = (((uint64_t)temp) * inverse_class) >> 32;
- if (i < vr->ptns_to_read)
+ if (i < ptns_to_read)
vr->classifs[p + i] = temp - temp2 * vr->classifications;
temp = temp2;
}
@@ -1344,13 +1346,13 @@ static av_always_inline int setup_classifs(vorbis_context *vc,
for (i = partition_count + c_p_c - 1; i >= partition_count; i--) {
temp2 = temp / vr->classifications;
- if (i < vr->ptns_to_read)
+ if (i < ptns_to_read)
vr->classifs[p + i] = temp - temp2 * vr->classifications;
temp = temp2;
}
}
}
- p += vr->ptns_to_read;
+ p += ptns_to_read;
}
return 0;
}
@@ -1404,7 +1406,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
for (partition_count = 0; partition_count < ptns_to_read;) { // SPEC error
if (!pass) {
int ret;
- if ((ret = setup_classifs(vc, vr, do_not_decode, ch_used, partition_count)) < 0)
+ if ((ret = setup_classifs(vc, vr, do_not_decode, ch_used, partition_count, ptns_to_read)) < 0)
return ret;
}
for (i = 0; (i < c_p_c) && (partition_count < ptns_to_read); ++i) {