From 953b0b85f8462efeac179341c912617c1bae8d4c Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Wed, 25 Mar 2020 13:39:30 +0100 Subject: [PATCH 1/2] CVE-2019-9232: Fix OOB memory access on fuzzed data vp8_norm table has 256 elements while index to it can be higher on fuzzed data. Typecasting it to unsigned char will ensure valid range and will trigger proper error later. Also declaring "shift" as unsigned char to avoid UB sanitizer warning BUG=b/122373286,b/122373822,b/122371119 --- vp8/decoder/dboolhuff.h | 2 +- vpx_dsp/bitreader.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/vp8/decoder/dboolhuff.h b/vp8/decoder/dboolhuff.h index 04c027cd7..f3b080509 100644 --- a/vp8/decoder/dboolhuff.h +++ b/vp8/decoder/dboolhuff.h @@ -76,7 +76,7 @@ static int vp8dx_decode_bool(BOOL_DECODER *br, int probability) { } { - register int shift = vp8_norm[range]; + register unsigned char shift = vp8_norm[(unsigned char)range]; range <<= shift; value <<= shift; count -= shift; diff --git a/vpx_dsp/bitreader.h b/vpx_dsp/bitreader.h index 6ee2a5863..4b87e986c 100644 --- a/vpx_dsp/bitreader.h +++ b/vpx_dsp/bitreader.h @@ -94,7 +94,7 @@ static INLINE int vpx_read(vpx_reader *r, int prob) { } { - register int shift = vpx_norm[range]; + register unsigned char shift = vpx_norm[(unsigned char)range]; range <<= shift; value <<= shift; count -= shift; -- 2.25.1