[SCM] libav/experimental: vorbisdec: Prevent a potential integer overflow.
siretart at users.alioth.debian.org
siretart at users.alioth.debian.org
Sun Jun 30 17:13:27 UTC 2013
The following commit has been merged in the experimental branch:
commit 366d919016a679d3955f6fe5278fa7ce4f47b81e
Author: Alex Converse <alex.converse at gmail.com>
Date: Tue Aug 3 00:25:06 2010 +0000
vorbisdec: Prevent a potential integer overflow.
If sizeof uint_fast8_t > 1 and sizeof size_t <= 4, the expression that mallocs
classifs is susceptible to integer overflow.
Originally committed as revision 24675 to svn://svn.ffmpeg.org/ffmpeg/trunk
diff --git a/libavcodec/vorbis_dec.c b/libavcodec/vorbis_dec.c
index 1772e55..b543f5c 100644
--- a/libavcodec/vorbis_dec.c
+++ b/libavcodec/vorbis_dec.c
@@ -103,7 +103,7 @@ typedef struct {
int_fast16_t books[64][8];
uint_fast8_t maxpass;
uint_fast16_t ptns_to_read;
- uint_fast8_t *classifs;
+ uint8_t *classifs;
} vorbis_residue;
typedef struct {
@@ -1267,7 +1267,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
GetBitContext *gb = &vc->gb;
uint_fast8_t c_p_c = vc->codebooks[vr->classbook].dimensions;
uint_fast16_t ptns_to_read = vr->ptns_to_read;
- uint_fast8_t *classifs = vr->classifs;
+ uint8_t *classifs = vr->classifs;
uint_fast8_t pass;
uint_fast8_t ch_used;
uint_fast8_t i,j,l;
--
Libav/FFmpeg packaging
More information about the pkg-multimedia-commits
mailing list