File CVE-2019-9232.patch of Package libvpx (Revision b3d381739b8ea7a574c3958ad052b638)
Currently displaying revision b3d381739b8ea7a574c3958ad052b638 , Show latest
xxxxxxxxxx
1
commit 46e17f0cb4a80b36755c84b8bf15731d3386c08f
2
Author: Fyodor Kyslov <kyslov@google.com>
3
Date: Fri Jan 4 17:04:09 2019 -0800
4
5
Fix OOB memory access on fuzzed data
6
7
vp8_norm table has 256 elements while index to it can be higher on
8
fuzzed data. Typecasting it to unsigned char will ensure valid range and
9
will trigger proper error later. Also declaring "shift" as unsigned char to
10
avoid UB sanitizer warning
11
12
BUG=b/122373286,b/122373822,b/122371119
13
14
Change-Id: I3cef1d07f107f061b1504976a405fa0865afe9f5
15
16
Index: libvpx-1.6.1/vp8/decoder/dboolhuff.h
17
===================================================================
18
--- libvpx-1.6.1.orig/vp8/decoder/dboolhuff.h
19
+++ libvpx-1.6.1/vp8/decoder/dboolhuff.h
20
21
}
22
23
{
24
- register int shift = vp8_norm[range];
25
+ const unsigned char shift = vp8_norm[(unsigned char)range];
26
range <<= shift;
27
value <<= shift;
28
count -= shift;
29
Index: libvpx-1.6.1/vpx_dsp/bitreader.h
30
===================================================================
31
--- libvpx-1.6.1.orig/vpx_dsp/bitreader.h
32
+++ libvpx-1.6.1/vpx_dsp/bitreader.h
33
34
}
35
36
{
37
- register int shift = vpx_norm[range];
38
+ const unsigned char shift = vpx_norm[(unsigned char)range];
39
range <<= shift;
40
value <<= shift;
41
count -= shift;
42