diff options
author | Chris Evans <cevans@chromium.org> | 2012-01-05 21:25:41 +0100 |
---|---|---|
committer | Reinhard Tartler <siretart@tauware.de> | 2012-01-07 22:03:34 +0100 |
commit | 6d6254ba9fbb22260939c06db1faed5bbd295ad4 (patch) | |
tree | 97d8eb2a079c9c9e476c7fb0cc63fb70d7121b7f | |
parent | ae24b5ce3a955e4003c667e5ab3526ce80c71138 (diff) | |
download | ffmpeg-6d6254ba9fbb22260939c06db1faed5bbd295ad4.tar.gz |
vorbis: Avoid some out-of-bounds reads
Fixes Bug: #190
Chromium Bug: #100543
Related to CVE-2011-3893
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 57cd6d709565e84e84385f8f2a9641ca3fa718be)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 4a94678f1be4b7d47f862e9523ca3358255da5d4)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
-rw-r--r-- | libavcodec/vorbis.c | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c index 47388d8302..109737976c 100644 --- a/libavcodec/vorbis.c +++ b/libavcodec/vorbis.c @@ -156,7 +156,7 @@ void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values) } } -static inline void render_line_unrolled(intptr_t x, intptr_t y, int x1, +static inline void render_line_unrolled(intptr_t x, uint8_t y, int x1, intptr_t sy, int ady, int adx, float *buf) { @@ -179,7 +179,7 @@ static inline void render_line_unrolled(intptr_t x, intptr_t y, int x1, } } -static void render_line(int x0, int y0, int x1, int y1, float *buf) +static void render_line(int x0, uint8_t y0, int x1, int y1, float *buf) { int dy = y1 - y0; int adx = x1 - x0; @@ -189,10 +189,10 @@ static void render_line(int x0, int y0, int x1, int y1, float *buf) if (ady*2 <= adx) { // optimized common case render_line_unrolled(x0, y0, x1, sy, ady, adx, buf); } else { - int base = dy / adx; - int x = x0; - int y = y0; - int err = -adx; + int base = dy / adx; + int x = x0; + uint8_t y = y0; + int err = -adx; ady -= FFABS(base) * adx; while (++x < x1) { y += base; @@ -210,7 +210,8 @@ void ff_vorbis_floor1_render_list(vorbis_floor1_entry * list, int values, uint_fast16_t *y_list, int *flag, int multiplier, float *out, int samples) { - int lx, ly, i; + int lx, i; + uint8_t ly; lx = 0; ly = y_list[0] * multiplier; for (i = 1; i < values; i++) { |