diff options
| author | kyslov <kyslov@google.com> | 2019-01-04 17:04:09 -0800 |
|---|---|---|
| committer | kyslov <kyslov@google.com> | 2019-01-07 10:35:34 -0800 |
| commit | 46e17f0cb4a80b36755c84b8bf15731d3386c08f (patch) | |
| tree | 8a507716c65f3ef3c0f4b482887e2b88f5359ff6 /vp8/decoder | |
| parent | b625feb3588e7e598fab2c0df1e28f2ea0a7b3e1 (diff) | |
| download | libvpx-46e17f0cb4a80b36755c84b8bf15731d3386c08f.tar libvpx-46e17f0cb4a80b36755c84b8bf15731d3386c08f.tar.gz libvpx-46e17f0cb4a80b36755c84b8bf15731d3386c08f.tar.bz2 libvpx-46e17f0cb4a80b36755c84b8bf15731d3386c08f.zip | |
Fix OOB memory access on fuzzed data
vp8_norm table has 256 elements while index to it can be higher on
fuzzed data. Typecasting it to unsigned char will ensure valid range and
will trigger proper error later. Also declaring "shift" as unsigned char to
avoid UB sanitizer warning
BUG=b/122373286,b/122373822,b/122371119
Change-Id: I3cef1d07f107f061b1504976a405fa0865afe9f5
Diffstat (limited to 'vp8/decoder')
| -rw-r--r-- | vp8/decoder/dboolhuff.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/vp8/decoder/dboolhuff.h b/vp8/decoder/dboolhuff.h index e342d7c5c..f2a18f0d9 100644 --- a/vp8/decoder/dboolhuff.h +++ b/vp8/decoder/dboolhuff.h @@ -76,7 +76,7 @@ static int vp8dx_decode_bool(BOOL_DECODER *br, int probability) { } { - const int shift = vp8_norm[range]; + const unsigned char shift = vp8_norm[(unsigned char)range]; range <<= shift; value <<= shift; count -= shift; |