diff options
author | Chris Evans <cevans@chromium.org> | 2012-01-04 17:24:15 +0100 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2012-01-04 21:58:08 +0100 |
commit | 7149fce2cac0474a5fbc5b47add1158cd8bb283e (patch) | |
tree | d56f014205d17cf16cc764a1aecddfcfacf4050e /libavcodec/vorbis.c | |
parent | f35e037c93cf7d25e65b4a2ed3674358f05e4bed (diff) | |
download | ffmpeg-7149fce2cac0474a5fbc5b47add1158cd8bb283e.tar.gz |
ogg: Avoid the possibility to read out-of-bounds of a static global array in Vorbis
decoding.
BUG=100543
Review URL: http://codereview.chromium.org/8365014
This fixes 25% of CVE-2011-3893
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/vorbis.c')
-rw-r--r-- | libavcodec/vorbis.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c index b850b59dd0..dce7a55975 100644 --- a/libavcodec/vorbis.c +++ b/libavcodec/vorbis.c @@ -156,7 +156,7 @@ void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values) } } -static inline void render_line_unrolled(intptr_t x, intptr_t y, int x1, +static inline void render_line_unrolled(intptr_t x, unsigned char y, int x1, intptr_t sy, int ady, int adx, float *buf) { @@ -191,7 +191,7 @@ static void render_line(int x0, int y0, int x1, int y1, float *buf) } else { int base = dy / adx; int x = x0; - int y = y0; + unsigned char y = y0; int err = -adx; ady -= FFABS(base) * adx; while (++x < x1) { |