aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec
diff options
context:
space:
mode:
authorChris Evans <cevans@chromium.org>2012-01-04 17:24:15 +0100
committerMichael Niedermayer <michaelni@gmx.at>2012-01-04 21:58:08 +0100
commit7149fce2cac0474a5fbc5b47add1158cd8bb283e (patch)
treed56f014205d17cf16cc764a1aecddfcfacf4050e /libavcodec
parentf35e037c93cf7d25e65b4a2ed3674358f05e4bed (diff)
downloadffmpeg-7149fce2cac0474a5fbc5b47add1158cd8bb283e.tar.gz
ogg: Avoid the possibility to read out-of-bounds of a static global array in Vorbis
decoding. BUG=100543 Review URL: http://codereview.chromium.org/8365014 This fixes 25% of CVE-2011-3893 Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
-rw-r--r--libavcodec/vorbis.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c
index b850b59dd0..dce7a55975 100644
--- a/libavcodec/vorbis.c
+++ b/libavcodec/vorbis.c
@@ -156,7 +156,7 @@ void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values)
}
}
-static inline void render_line_unrolled(intptr_t x, intptr_t y, int x1,
+static inline void render_line_unrolled(intptr_t x, unsigned char y, int x1,
intptr_t sy, int ady, int adx,
float *buf)
{
@@ -191,7 +191,7 @@ static void render_line(int x0, int y0, int x1, int y1, float *buf)
} else {
int base = dy / adx;
int x = x0;
- int y = y0;
+ unsigned char y = y0;
int err = -adx;
ady -= FFABS(base) * adx;
while (++x < x1) {