diff options
Diffstat (limited to 'media-libs/tremor/files/tremor-0_pre20130223-out-of-bounds-write.patch')
| -rw-r--r-- | media-libs/tremor/files/tremor-0_pre20130223-out-of-bounds-write.patch | 88 |
1 files changed, 88 insertions, 0 deletions
diff --git a/media-libs/tremor/files/tremor-0_pre20130223-out-of-bounds-write.patch b/media-libs/tremor/files/tremor-0_pre20130223-out-of-bounds-write.patch new file mode 100644 index 000000000000..403a89e670a9 --- /dev/null +++ b/media-libs/tremor/files/tremor-0_pre20130223-out-of-bounds-write.patch @@ -0,0 +1,88 @@ +From 562307a4a7082e24553f3d2c55dab397a17c4b4f Mon Sep 17 00:00:00 2001 +From: Thomas Daede <daede003@umn.edu> +Date: Thu, 15 Mar 2018 21:47:09 -0700 +Subject: [PATCH] Prevent out-of-bounds write in codebook decoding. + +Codebooks that are not an exact divisor of the partition size are now +truncated to fit within the partition. +--- + codebook.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/codebook.c b/codebook.c +index f8b7983..1e1ae8a 100644 +--- a/codebook.c ++++ b/codebook.c +@@ -258,7 +258,7 @@ long vorbis_book_decodevs_add(codebook *book,ogg_int32_t *a, + t[i] = book->valuelist+entry[i]*book->dim; + } + for(i=0,o=0;i<book->dim;i++,o+=step) +- for (j=0;j<step;j++) ++ for (j=0;o+j<n && j<step;j++) + a[o+j]+=t[j][i]>>shift; + }else{ + for (i = 0; i < step; i++) { +@@ -267,7 +267,7 @@ long vorbis_book_decodevs_add(codebook *book,ogg_int32_t *a, + t[i] = book->valuelist+entry[i]*book->dim; + } + for(i=0,o=0;i<book->dim;i++,o+=step) +- for (j=0;j<step;j++) ++ for (j=0;o+j<n && j<step;j++) + a[o+j]+=t[j][i]<<-shift; + } + } +@@ -287,7 +287,7 @@ long vorbis_book_decodev_add(codebook *book,ogg_int32_t *a, + entry = decode_packed_entry_number(book,b); + if(entry==-1)return(-1); + t = book->valuelist+entry*book->dim; +- for (j=0;j<book->dim;) ++ for (j=0;i<n && j<book->dim;) + a[i++]+=t[j++]>>shift; + } + }else{ +@@ -295,7 +295,7 @@ long vorbis_book_decodev_add(codebook *book,ogg_int32_t *a, + entry = decode_packed_entry_number(book,b); + if(entry==-1)return(-1); + t = book->valuelist+entry*book->dim; +- for (j=0;j<book->dim;) ++ for (j=0;i<n && j<book->dim;) + a[i++]+=t[j++]<<-shift; + } + } +@@ -352,15 +352,15 @@ long vorbis_book_decodevv_add(codebook *book,ogg_int32_t **a,\ + long i,j,entry; + int chptr=0; + int shift=point-book->binarypoint; +- ++ int m=offset+n; + if(shift>=0){ + +- for(i=offset;i<offset+n;){ ++ for(i=offset;i<m;){ + entry = decode_packed_entry_number(book,b); + if(entry==-1)return(-1); + { + const ogg_int32_t *t = book->valuelist+entry*book->dim; +- for (j=0;j<book->dim;j++){ ++ for (j=0;i<m && j<book->dim;j++){ + a[chptr++][i]+=t[j]>>shift; + if(chptr==ch){ + chptr=0; +@@ -371,12 +371,12 @@ long vorbis_book_decodevv_add(codebook *book,ogg_int32_t **a,\ + } + }else{ + +- for(i=offset;i<offset+n;){ ++ for(i=offset;i<m;){ + entry = decode_packed_entry_number(book,b); + if(entry==-1)return(-1); + { + const ogg_int32_t *t = book->valuelist+entry*book->dim; +- for (j=0;j<book->dim;j++){ ++ for (j=0;i<m && j<book->dim;j++){ + a[chptr++][i]+=t[j]<<-shift; + if(chptr==ch){ + chptr=0; +-- +2.11.0 + |