vorbis: Avoid some out-of-bounds reads

Fixes Bug: #190 Chromium Bug: #100543 Related to CVE-2011-3893 Signed-off-by: Reinhard Tartler <siretart@tauware.de>
2012-01-05 21:25:41 +01:00 · 2012-01-05 21:25:41 +01:00 · 57cd6d7095
parent f86209b43d
commit 57cd6d7095
1 changed files with 8 additions and 7 deletions
--- a/libavcodec/vorbis.c
+++ b/libavcodec/vorbis.c
@ -152,7 +152,7 @@ void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values)
    }
 }

-static inline void render_line_unrolled(intptr_t x, intptr_t y, int x1,
+static inline void render_line_unrolled(intptr_t x, uint8_t y, int x1,
                                        intptr_t sy, int ady, int adx,
                                        float *buf)
 {
@ -175,7 +175,7 @@ static inline void render_line_unrolled(intptr_t x, intptr_t y, int x1,
    }
 }

-static void render_line(int x0, int y0, int x1, int y1, float *buf)
+static void render_line(int x0, uint8_t y0, int x1, int y1, float *buf)
 {
    int dy  = y1 - y0;
    int adx = x1 - x0;
@ -185,10 +185,10 @@ static void render_line(int x0, int y0, int x1, int y1, float *buf)
    if (ady*2 <= adx) { // optimized common case
        render_line_unrolled(x0, y0, x1, sy, ady, adx, buf);
    } else {
-        int base = dy / adx;
-        int x    = x0;
-        int y    = y0;
-        int err  = -adx;
+        int base  = dy / adx;
+        int x     = x0;
+        uint8_t y = y0;
+        int err   = -adx;
        ady -= FFABS(base) * adx;
        while (++x < x1) {
            y += base;
@ -206,7 +206,8 @@ void ff_vorbis_floor1_render_list(vorbis_floor1_entry * list, int values,
                                  uint16_t *y_list, int *flag,
                                  int multiplier, float *out, int samples)
 {
-    int lx, ly, i;
+    int lx, i;
+    uint8_t ly;
    lx = 0;
    ly = y_list[0] * multiplier;
    for (i = 1; i < values; i++) {