diff options
author | Monty <xiphmont@xiph.org> | 2010-10-18 09:52:45 +0000 |
---|---|---|
committer | Monty <xiphmont@xiph.org> | 2010-10-18 09:52:45 +0000 |
commit | d9c0b177008937bce110c3902479ad8c720f6b14 (patch) | |
tree | f12c25aa626e8beb5f7514b0e64fc6616131a248 | |
parent | 55be1042f93493112e984c8cecf03613c84e5876 (diff) | |
download | tremor-d9c0b177008937bce110c3902479ad8c720f6b14.tar.gz |
If fuzzing swaps in a codebook that allows values outside the circular
range of the piecewise representation, it can overflow the lookup.
Proper fix here is just a simple clamp.
git-svn-id: https://svn.xiph.org/trunk/Tremor@17543 0101bb08-14d6-0310-b084-bc0e0c8e3800
-rw-r--r-- | floor1.c | 12 |
1 files changed, 9 insertions, 3 deletions
@@ -394,7 +394,7 @@ static void *floor1_inverse1(vorbis_block *vb,vorbis_look_floor *in){ } } - fit_value[i]=val+predicted; + fit_value[i]=(val+predicted)&0x7fff;; fit_value[look->loneighbor[i-2]]&=0x7fff; fit_value[look->hineighbor[i-2]]&=0x7fff; @@ -425,14 +425,20 @@ static int floor1_inverse2(vorbis_block *vb,vorbis_look_floor *in,void *memo, int hx=0; int lx=0; int ly=fit_value[0]*info->mult; + /* guard lookup against out-of-rage values */ + ly=(ly<0?0:ly>255?255:ly); + for(j=1;j<look->posts;j++){ int current=look->forward_index[j]; int hy=fit_value[current]&0x7fff; if(hy==fit_value[current]){ - hy*=info->mult; hx=info->postlist[current]; - + hy*=info->mult; + /* guard lookup against out-of-rage values */ + hy=(hy<0?0:hy>255?255:hy); + + render_line(n,lx,hx,ly,hy,out); lx=hx; |