Mercurial > libavcodec.hg
comparison vorbis_dec.c @ 12347:bc21b45eba99 libavcodec
vorbisdec: Prevent a potential integer overflow.
If sizeof uint_fast8_t > 1 and sizeof size_t <= 4, the expression that mallocs
classifs is susceptible to integer overflow.
| author | alexc |
|---|---|
| date | Tue, 03 Aug 2010 00:25:06 +0000 |
| parents | ad24cca213ae |
| children | 97a9ea928ffc |
comparison
equal
deleted
inserted
replaced
| 12346:015c13a563dd | 12347:bc21b45eba99 |
|---|---|
| 101 uint_fast8_t classifications; | 101 uint_fast8_t classifications; |
| 102 uint_fast8_t classbook; | 102 uint_fast8_t classbook; |
| 103 int_fast16_t books[64][8]; | 103 int_fast16_t books[64][8]; |
| 104 uint_fast8_t maxpass; | 104 uint_fast8_t maxpass; |
| 105 uint_fast16_t ptns_to_read; | 105 uint_fast16_t ptns_to_read; |
| 106 uint_fast8_t *classifs; | 106 uint8_t *classifs; |
| 107 } vorbis_residue; | 107 } vorbis_residue; |
| 108 | 108 |
| 109 typedef struct { | 109 typedef struct { |
| 110 uint_fast8_t submaps; | 110 uint_fast8_t submaps; |
| 111 uint_fast16_t coupling_steps; | 111 uint_fast16_t coupling_steps; |
| 1265 int vr_type) | 1265 int vr_type) |
| 1266 { | 1266 { |
| 1267 GetBitContext *gb = &vc->gb; | 1267 GetBitContext *gb = &vc->gb; |
| 1268 uint_fast8_t c_p_c = vc->codebooks[vr->classbook].dimensions; | 1268 uint_fast8_t c_p_c = vc->codebooks[vr->classbook].dimensions; |
| 1269 uint_fast16_t ptns_to_read = vr->ptns_to_read; | 1269 uint_fast16_t ptns_to_read = vr->ptns_to_read; |
| 1270 uint_fast8_t *classifs = vr->classifs; | 1270 uint8_t *classifs = vr->classifs; |
| 1271 uint_fast8_t pass; | 1271 uint_fast8_t pass; |
| 1272 uint_fast8_t ch_used; | 1272 uint_fast8_t ch_used; |
| 1273 uint_fast8_t i,j,l; | 1273 uint_fast8_t i,j,l; |
| 1274 uint_fast16_t k; | 1274 uint_fast16_t k; |
| 1275 | 1275 |