Skip to content

F
ffmpeg.wasm-core
Commit 57cd6d70 authored by Chris Evans's avatar Chris Evans Committed by Reinhard Tartler
Browse files
Options

vorbis: Avoid some out-of-bounds reads 

Fixes Bug: #190
Chromium Bug: #100543
Related to CVE-2011-3893
Signed-off-by: 's avatarReinhard Tartler <siretart@tauware.de>
parent f86209b4
Hide whitespace changes
Inline Side-by-side
Showing with 8 additions and 7 deletions
libavcodec/vorbis.c
View file @ 57cd6d70
......@@ -152,7 +152,7 @@ void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values)
}
}
static inline void render_line_unrolled(intptr_t x, intptr_t y, int x1,
static inline void render_line_unrolled(intptr_t x, uint8_t y, int x1,
intptr_t sy, int ady, int adx,
float *buf)
{
......@@ -175,7 +175,7 @@ static inline void render_line_unrolled(intptr_t x, intptr_t y, int x1,
}
}
static void render_line(int x0, int y0, int x1, int y1, float *buf)
static void render_line(int x0, uint8_t y0, int x1, int y1, float *buf)
{
int dy = y1 - y0;
int adx = x1 - x0;
......@@ -185,10 +185,10 @@ static void render_line(int x0, int y0, int x1, int y1, float *buf)
if (ady*2 <= adx) { // optimized common case
render_line_unrolled(x0, y0, x1, sy, ady, adx, buf);
} else {
int base = dy / adx;
int x = x0;
int y = y0;
int err = -adx;
int base = dy / adx;
int x = x0;
uint8_t y = y0;
int err = -adx;
ady -= FFABS(base) * adx;
while (++x < x1) {
y += base;
......@@ -206,7 +206,8 @@ void ff_vorbis_floor1_render_list(vorbis_floor1_entry * list, int values,
uint16_t *y_list, int *flag,
int multiplier, float *out, int samples)
{
int lx, ly, i;
int lx, i;
uint8_t ly;
lx = 0;
ly = y_list[0] * multiplier;
for (i = 1; i < values; i++) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment