diff options
author | Miika-Petteri Matikainen <miikapetterim@spotify.com> | 2019-08-09 13:07:31 +0200 |
---|---|---|
committer | Miika-Petteri Matikainen <miikapetterim@spotify.com> | 2019-08-22 12:53:57 +0200 |
commit | 89a7534bf2e70112e0354452b17a78675ca92dbf (patch) | |
tree | 1f2f9b22b4bfd068b8b24ad2696d4c6c82bb03fb | |
parent | 550bb0a21c559f63f63bf0ad6019cfd6de1ae526 (diff) | |
download | tremor-lowmem.tar.gz |
Backport codebook out-of-bounds write fix from main branchlowmem
Backports commit 562307a4a7082e24553f3d2c55dab397a17c4b4f from
tremor main branch:
Prevent out-of-bounds write in codebook decoding.
Codebooks that are not an exact divisor of the partition size are now
truncated to fit within the partition.
-rw-r--r-- | codebook.c | 7 |
1 files changed, 4 insertions, 3 deletions
@@ -738,7 +738,7 @@ long vorbis_book_decodev_add(codebook *book,ogg_int32_t *a, for(i=0;i<n;){ if(decode_map(book,b,v,point))return -1; - for (j=0;j<book->dim;j++) + for (j=0;i<n && j<book->dim;j++) a[i++]+=v[j]; } } @@ -779,10 +779,11 @@ long vorbis_book_decodevv_add(codebook *book,ogg_int32_t **a, ogg_int32_t *v = (ogg_int32_t *)alloca(sizeof(*v)*book->dim); long i,j; int chptr=0; + long m=offset+n; - for(i=offset;i<offset+n;){ + for(i=offset;i<m;){ if(decode_map(book,b,v,point))return -1; - for (j=0;j<book->dim;j++){ + for (j=0;i<m && j<book->dim;j++){ a[chptr++][i]+=v[j]; if(chptr==ch){ chptr=0; |