On 01/05/2012 04:01 PM, Reinhard Tartler wrote:
> From: Chris Evans <cev...@chromium.org>
>
> Fixes Bug: #190
> Chromium Bug: #100543
> Related to CVE-2011-3893
>
> Signed-off-by: Reinhard Tartler <siret...@tauware.de>
> ---
> libavcodec/vorbis.c | 6 +++---
> 1 files changed, 3 insertions(+), 3 deletions(-)
>
> I've implemented Ronald's second suggestion.
>
> diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c
> index 86df288..66364d1 100644
> --- a/libavcodec/vorbis.c
> +++ b/libavcodec/vorbis.c
> @@ -152,7 +152,7 @@ void ff_vorbis_ready_floor1_list(vorbis_floor1_entry *
> list, int values)
> }
> }
>
> -static inline void render_line_unrolled(intptr_t x, intptr_t y, int x1,
> +static inline void render_line_unrolled(intptr_t x, unsigned char y, int x1,
> intptr_t sy, int ady, int adx,
> float *buf)
> {
> @@ -175,7 +175,7 @@ static inline void render_line_unrolled(intptr_t x,
> intptr_t y, int x1,
> }
> }
>
> -static void render_line(int x0, int y0, int x1, int y1, float *buf)
> +static void render_line(int x0, unsigned char y0, int x1, int y1, float *buf)
> {
> int dy = y1 - y0;
> int adx = x1 - x0;
> @@ -187,7 +187,7 @@ static void render_line(int x0, int y0, int x1, int y1,
> float *buf)
> } else {
> int base = dy / adx;
> int x = x0;
> - int y = y0;
> + unsigned char y = y0;
> int err = -adx;
> ady -= FFABS(base) * adx;
> while (++x < x1) {
This seems like a pretty hackish way to go about this. It might be
better to actually clip the values at the table bounds rather than
changing the data type and allowing it to overflow.
-Justin
_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
