ogg: Avoid the possibility to read out-of-bounds of a static global array in Vorbis
authorChris Evans <cevans@chromium.org>
Wed, 4 Jan 2012 16:24:15 +0000 (17:24 +0100)
committerMichael Niedermayer <michaelni@gmx.at>
Wed, 4 Jan 2012 21:18:56 +0000 (22:18 +0100)
decoding.

BUG=100543
Review URL: http://codereview.chromium.org/8365014
This fixes 25% of CVE-2011-3893

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7149fce2cac0474a5fbc5b47add1158cd8bb283e)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/vorbis.c

index 1624948..251442b 100644 (file)
@@ -156,7 +156,7 @@ void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values)
     }
 }
 
-static inline void render_line_unrolled(intptr_t x, intptr_t y, int x1,
+static inline void render_line_unrolled(intptr_t x, unsigned char y, int x1,
                                         intptr_t sy, int ady, int adx,
                                         float *buf)
 {
@@ -191,7 +191,7 @@ static void render_line(int x0, int y0, int x1, int y1, float *buf)
     } else {
         int base = dy / adx;
         int x    = x0;
-        int y    = y0;
+        unsigned char y = y0;
         int err  = -adx;
         ady -= FFABS(base) * adx;
         while (++x < x1) {