RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

vorbisdec: Prevent a potential integer overflow. 

If sizeof uint_fast8_t > 1 and sizeof size_t <= 4, the expression that mallocs
classifs  is susceptible to integer overflow.

Originally committed as revision 24675 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
Alex Converse 2010-08-03 00:25:06 +00:00
parent 83abdf5ff0
commit 366d919016
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
libavcodec/vorbis_dec.c
View File

@ -103,7 +103,7 @@ typedef struct {
int_fast16_t books[64][8];
uint_fast8_t maxpass;
uint_fast16_t ptns_to_read;
uint_fast8_t *classifs;
uint8_t *classifs;
} vorbis_residue;
typedef struct {
@ -1267,7 +1267,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
GetBitContext *gb = &vc->gb;
uint_fast8_t c_p_c = vc->codebooks[vr->classbook].dimensions;
uint_fast16_t ptns_to_read = vr->ptns_to_read;
uint_fast8_t *classifs = vr->classifs;
uint8_t *classifs = vr->classifs;
uint_fast8_t pass;
uint_fast8_t ch_used;
uint_fast8_t i,j,l;