diff options
author | Miika-Petteri Matikainen <miikapetterim@spotify.com> | 2019-08-09 13:02:52 +0200 |
---|---|---|
committer | Miika-Petteri Matikainen <miikapetterim@spotify.com> | 2019-08-22 12:53:50 +0200 |
commit | 550bb0a21c559f63f63bf0ad6019cfd6de1ae526 (patch) | |
tree | 70851f69840729b3c25f48a1fee5f457aed78e30 /floor0.c | |
parent | 293fd1c04f9d4489be6d4b2b1ca8698f2f902e8e (diff) | |
download | tremor-550bb0a21c559f63f63bf0ad6019cfd6de1ae526.tar.gz |
Backport floo0 out-of-bounds write fix from main branch
Backports commit 80661a13c93a01f25b8df4e89fecad0eee69ddcc from
tremor main branch:
floor0 code could potentially use a book where the number of vals it
needed to decode was not an integer number of dims wide. This caused
it to overflow the output vector as the termination condition was in
the outer loop of vorbis_book_decodev_set.
None of the various vorbis_book_decodeXXXX calls internally guard
against this case either, but in every other use the calling code does
properly guard (and avoids putting more checks in the tight inner
decode loop).
For floor0, move the checks into the inner loop as there's little
penalty for doing so. Add commentary indicating where guarding is
done for each call variant.
Diffstat (limited to 'floor0.c')
-rw-r--r-- | floor0.c | 5 |
1 files changed, 2 insertions, 3 deletions
@@ -393,10 +393,9 @@ ogg_int32_t *floor0_inverse1(vorbis_dsp_state *vd,vorbis_info_floor *i, codebook *b=ci->book_param+info->books[booknum]; ogg_int32_t last=0; - for(j=0;j<info->order;j+=b->dim) - if(vorbis_book_decodev_set(b,lsp+j,&vd->opb,b->dim,-24)==-1)goto eop; + if(vorbis_book_decodev_set(b,lsp,&vd->opb,info->order,-24)==-1)goto eop; for(j=0;j<info->order;){ - for(k=0;k<b->dim;k++,j++)lsp[j]+=last; + for(k=0;j<info->order && k<b->dim;k++,j++)lsp[j]+=last; last=lsp[j-1]; } |