46 lines
1.4 KiB
Diff
46 lines
1.4 KiB
Diff
From 953b0b85f8462efeac179341c912617c1bae8d4c Mon Sep 17 00:00:00 2001
|
|
From: Wim Taymans <wtaymans@redhat.com>
|
|
Date: Wed, 25 Mar 2020 13:39:30 +0100
|
|
Subject: [PATCH 1/2] CVE-2019-9232: Fix OOB memory access on fuzzed data
|
|
|
|
vp8_norm table has 256 elements while index to it can be higher on
|
|
fuzzed data. Typecasting it to unsigned char will ensure valid range and
|
|
will trigger proper error later. Also declaring "shift" as unsigned char to
|
|
avoid UB sanitizer warning
|
|
|
|
BUG=b/122373286,b/122373822,b/122371119
|
|
---
|
|
vp8/decoder/dboolhuff.h | 2 +-
|
|
vpx_dsp/bitreader.h | 2 +-
|
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/vp8/decoder/dboolhuff.h b/vp8/decoder/dboolhuff.h
|
|
index 04c027cd7..f3b080509 100644
|
|
--- a/vp8/decoder/dboolhuff.h
|
|
+++ b/vp8/decoder/dboolhuff.h
|
|
@@ -76,7 +76,7 @@ static int vp8dx_decode_bool(BOOL_DECODER *br, int probability) {
|
|
}
|
|
|
|
{
|
|
- register int shift = vp8_norm[range];
|
|
+ register unsigned char shift = vp8_norm[(unsigned char)range];
|
|
range <<= shift;
|
|
value <<= shift;
|
|
count -= shift;
|
|
diff --git a/vpx_dsp/bitreader.h b/vpx_dsp/bitreader.h
|
|
index 6ee2a5863..4b87e986c 100644
|
|
--- a/vpx_dsp/bitreader.h
|
|
+++ b/vpx_dsp/bitreader.h
|
|
@@ -94,7 +94,7 @@ static INLINE int vpx_read(vpx_reader *r, int prob) {
|
|
}
|
|
|
|
{
|
|
- register int shift = vpx_norm[range];
|
|
+ register unsigned char shift = vpx_norm[(unsigned char)range];
|
|
range <<= shift;
|
|
value <<= shift;
|
|
count -= shift;
|
|
--
|
|
2.25.1
|
|
|