Commit 8c50704e authored by Michael Niedermayer's avatar Michael Niedermayer

avcodec/vorbisdec: Fix off by 1 error in ptns_to_read

Fixes read of uninitialized memory
Fixes: asan_heap-uaf_18dac2b_9_asan_heap-uaf_22eb375_208_beta3_test_small.ogg

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent 1c4c78ee
...@@ -1314,7 +1314,9 @@ static av_always_inline int setup_classifs(vorbis_context *vc, ...@@ -1314,7 +1314,9 @@ static av_always_inline int setup_classifs(vorbis_context *vc,
vorbis_residue *vr, vorbis_residue *vr,
uint8_t *do_not_decode, uint8_t *do_not_decode,
unsigned ch_used, unsigned ch_used,
int partition_count) int partition_count,
int ptns_to_read
)
{ {
int p, j, i; int p, j, i;
unsigned c_p_c = vc->codebooks[vr->classbook].dimensions; unsigned c_p_c = vc->codebooks[vr->classbook].dimensions;
...@@ -1336,7 +1338,7 @@ static av_always_inline int setup_classifs(vorbis_context *vc, ...@@ -1336,7 +1338,7 @@ static av_always_inline int setup_classifs(vorbis_context *vc,
for (i = partition_count + c_p_c - 1; i >= partition_count; i--) { for (i = partition_count + c_p_c - 1; i >= partition_count; i--) {
temp2 = (((uint64_t)temp) * inverse_class) >> 32; temp2 = (((uint64_t)temp) * inverse_class) >> 32;
if (i < vr->ptns_to_read) if (i < ptns_to_read)
vr->classifs[p + i] = temp - temp2 * vr->classifications; vr->classifs[p + i] = temp - temp2 * vr->classifications;
temp = temp2; temp = temp2;
} }
...@@ -1344,13 +1346,13 @@ static av_always_inline int setup_classifs(vorbis_context *vc, ...@@ -1344,13 +1346,13 @@ static av_always_inline int setup_classifs(vorbis_context *vc,
for (i = partition_count + c_p_c - 1; i >= partition_count; i--) { for (i = partition_count + c_p_c - 1; i >= partition_count; i--) {
temp2 = temp / vr->classifications; temp2 = temp / vr->classifications;
if (i < vr->ptns_to_read) if (i < ptns_to_read)
vr->classifs[p + i] = temp - temp2 * vr->classifications; vr->classifs[p + i] = temp - temp2 * vr->classifications;
temp = temp2; temp = temp2;
} }
} }
} }
p += vr->ptns_to_read; p += ptns_to_read;
} }
return 0; return 0;
} }
...@@ -1404,7 +1406,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, ...@@ -1404,7 +1406,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
for (partition_count = 0; partition_count < ptns_to_read;) { // SPEC error for (partition_count = 0; partition_count < ptns_to_read;) { // SPEC error
if (!pass) { if (!pass) {
int ret; int ret;
if ((ret = setup_classifs(vc, vr, do_not_decode, ch_used, partition_count)) < 0) if ((ret = setup_classifs(vc, vr, do_not_decode, ch_used, partition_count, ptns_to_read)) < 0)
return ret; return ret;
} }
for (i = 0; (i < c_p_c) && (partition_count < ptns_to_read); ++i) { for (i = 0; (i < c_p_c) && (partition_count < ptns_to_read); ++i) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment