Backport codebook out-of-bounds write fix from main branchlowmem

Backports commit 562307a4a7082e24553f3d2c55dab397a17c4b4f from tremor main branch: Prevent out-of-bounds write in codebook decoding. Codebooks that are not an exact divisor of the partition size are now truncated to fit within the partition.
author: Miika-Petteri Matikainen <miikapetterim@spotify.com> 2019-08-09 13:07:31 +0200
committer: Miika-Petteri Matikainen <miikapetterim@spotify.com> 2019-08-22 12:53:57 +0200
commit: 89a7534bf2e70112e0354452b17a78675ca92dbf (patch)
tree: 1f2f9b22b4bfd068b8b24ad2696d4c6c82bb03fb
parent: 550bb0a21c559f63f63bf0ad6019cfd6de1ae526 (diff)
download: tremor-lowmem.tar.gz
1 files changed, 4 insertions, 3 deletions
diff --git a/codebook.c b/codebook.c
index 295a9c1..ec7602e 100644
--- a/codebook.c
+++ b/codebook.c
@@ -738,7 +738,7 @@ long vorbis_book_decodev_add(codebook *book,ogg_int32_t *a,
     
     for(i=0;i<n;){
       if(decode_map(book,b,v,point))return -1;
-      for (j=0;j<book->dim;j++)
+      for (j=0;i<n && j<book->dim;j++)
 	a[i++]+=v[j];
     }
   }
@@ -779,10 +779,11 @@ long vorbis_book_decodevv_add(codebook *book,ogg_int32_t **a,
     ogg_int32_t *v = (ogg_int32_t *)alloca(sizeof(*v)*book->dim);
     long i,j;
     int chptr=0;
+    long m=offset+n;
     
-    for(i=offset;i<offset+n;){
+    for(i=offset;i<m;){
       if(decode_map(book,b,v,point))return -1;
-      for (j=0;j<book->dim;j++){
+      for (j=0;i<m && j<book->dim;j++){
 	a[chptr++][i]+=v[j];
 	if(chptr==ch){
 	  chptr=0;
author	Miika-Petteri Matikainen <miikapetterim@spotify.com>	2019-08-09 13:07:31 +0200
committer	Miika-Petteri Matikainen <miikapetterim@spotify.com>	2019-08-22 12:53:57 +0200
commit	89a7534bf2e70112e0354452b17a78675ca92dbf (patch)
tree	1f2f9b22b4bfd068b8b24ad2696d4c6c82bb03fb
parent	550bb0a21c559f63f63bf0ad6019cfd6de1ae526 (diff)
download	tremor-lowmem.tar.gz