From 89a7534bf2e70112e0354452b17a78675ca92dbf Mon Sep 17 00:00:00 2001
From: Miika-Petteri Matikainen <miikapetterim@spotify.com>
Date: Fri, 9 Aug 2019 13:07:31 +0200
Subject: Backport codebook out-of-bounds write fix from main branch

Backports commit 562307a4a7082e24553f3d2c55dab397a17c4b4f from
tremor main branch:

    Prevent out-of-bounds write in codebook decoding.

    Codebooks that are not an exact divisor of the partition size are now
    truncated to fit within the partition.
---
 codebook.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/codebook.c b/codebook.c
index 295a9c1..ec7602e 100644
--- a/codebook.c
+++ b/codebook.c
@@ -738,7 +738,7 @@ long vorbis_book_decodev_add(codebook *book,ogg_int32_t *a,
     
     for(i=0;i<n;){
       if(decode_map(book,b,v,point))return -1;
-      for (j=0;j<book->dim;j++)
+      for (j=0;i<n && j<book->dim;j++)
 	a[i++]+=v[j];
     }
   }
@@ -779,10 +779,11 @@ long vorbis_book_decodevv_add(codebook *book,ogg_int32_t **a,
     ogg_int32_t *v = (ogg_int32_t *)alloca(sizeof(*v)*book->dim);
     long i,j;
     int chptr=0;
+    long m=offset+n;
     
-    for(i=offset;i<offset+n;){
+    for(i=offset;i<m;){
       if(decode_map(book,b,v,point))return -1;
-      for (j=0;j<book->dim;j++){
+      for (j=0;i<m && j<book->dim;j++){
 	a[chptr++][i]+=v[j];
 	if(chptr==ch){
 	  chptr=0;
-- 
cgit v1.2.1