diff options
| author | Ralph Giles <giles@thaumas.net> | 2020-06-12 17:43:28 -0700 |
|---|---|---|
| committer | Ralph Giles <giles@thaumas.net> | 2020-07-01 22:57:01 -0700 |
| commit | a9eb99a5bd6f2d7da02d6cd13a428baf3a1bf48c (patch) | |
| tree | 53298e38145e77f8cee771e76850f7eaf630380a | |
| parent | 5fd186e2a5bc45dfd3ff2248e5d6247f7567c3dd (diff) | |
| download | libvorbis-git-a9eb99a5bd6f2d7da02d6cd13a428baf3a1bf48c.tar.gz | |
Add further array bounds checks to bark_noise_hybridmp.
Make it clear to local analysis that no out-of-bounds array
accesses are possible here.
Follow-up to CVE-2018-10393 and CVE-2017-14160.
Signed-off-by: Thomas Daede <daede003@umn.edu>
Signed-off-by: Monty <xiphmont@xiph.org>
| -rw-r--r-- | lib/psy.c | 23 |
1 files changed, 13 insertions, 10 deletions
@@ -599,11 +599,11 @@ static void bark_noise_hybridmp(int n,const long *b, XY[i] = tXY; } - for (i = 0, x = 0.f;; i++, x += 1.f) { + for (i = 0, x = 0.f; i < n; i++, x += 1.f) { lo = b[i] >> 16; hi = b[i] & 0xffff; - if( lo>=0 ) break; + if( lo>=0 || -lo>=n ) break; if( hi>=n ) break; tN = N[hi] + N[-lo]; @@ -616,17 +616,17 @@ static void bark_noise_hybridmp(int n,const long *b, B = tN * tXY - tX * tY; D = tN * tXX - tX * tX; R = (A + x * B) / D; - if (R < 0.f) - R = 0.f; + if (R < 0.f) R = 0.f; noise[i] = R - offset; } - for ( ;; i++, x += 1.f) { + for ( ; i < n; i++, x += 1.f) { lo = b[i] >> 16; hi = b[i] & 0xffff; - if(hi>=n)break; + if( lo<0 || lo>=n ) break; + if( hi>=n ) break; tN = N[hi] - N[lo]; tX = X[hi] - X[lo]; @@ -642,6 +642,7 @@ static void bark_noise_hybridmp(int n,const long *b, noise[i] = R - offset; } + for ( ; i < n; i++, x += 1.f) { R = (A + x * B) / D; @@ -652,10 +653,11 @@ static void bark_noise_hybridmp(int n,const long *b, if (fixed <= 0) return; - for (i = 0, x = 0.f;; i++, x += 1.f) { + for (i = 0, x = 0.f; i < n; i++, x += 1.f) { hi = i + fixed / 2; lo = hi - fixed; - if(lo>=0)break; + if ( hi>=n ) break; + if ( lo>=0 ) break; tN = N[hi] + N[-lo]; tX = X[hi] - X[-lo]; @@ -671,11 +673,12 @@ static void bark_noise_hybridmp(int n,const long *b, if (R - offset < noise[i]) noise[i] = R - offset; } - for ( ;; i++, x += 1.f) { + for ( ; i < n; i++, x += 1.f) { hi = i + fixed / 2; lo = hi - fixed; - if(hi>=n)break; + if ( hi>=n ) break; + if ( lo<0 ) break; tN = N[hi] - N[lo]; tX = X[hi] - X[lo]; |