If fuzzing swaps in a codebook that allows values outside the circular

range of the piecewise representation, it can overflow the lookup.
Proper fix here is just a simple clamp.




git-svn-id: https://svn.xiph.org/trunk/Tremor@17543 0101bb08-14d6-0310-b084-bc0e0c8e3800

1 files changed, 9 insertions, 3 deletions

diff --git a/floor1.c b/floor1.c
index d2a5be7..a408392 100644
--- a/floor1.c
+++ b/floor1.c
@@ -394,7 +394,7 @@ static void *floor1_inverse1(vorbis_block *vb,vorbis_look_floor *in){
 	  }
 	}
 
-	fit_value[i]=val+predicted;
+	fit_value[i]=(val+predicted)&0x7fff;;
 	fit_value[look->loneighbor[i-2]]&=0x7fff;
 	fit_value[look->hineighbor[i-2]]&=0x7fff;
 
@@ -425,14 +425,20 @@ static int floor1_inverse2(vorbis_block *vb,vorbis_look_floor *in,void *memo,
     int hx=0;
     int lx=0;
     int ly=fit_value[0]*info->mult;
+    /* guard lookup against out-of-rage values */
+    ly=(ly<0?0:ly>255?255:ly);
+
     for(j=1;j<look->posts;j++){
       int current=look->forward_index[j];
       int hy=fit_value[current]&0x7fff;
       if(hy==fit_value[current]){
 	
-	hy*=info->mult;
 	hx=info->postlist[current];
-	
+	hy*=info->mult;
+        /* guard lookup against out-of-rage values */
+        hy=(hy<0?0:hy>255?255:hy);
+
+
 	render_line(n,lx,hx,ly,hy,out);
 	
 	lx=hx;