# HG changeset patch
# User rbultje
# Date 1281362099 0
# Node ID 2ba9068e748d20816c1907a9dddd1445d3d66a08
# Parent  e402b74c4b62f8eb3fcb6081ae1606007d0b185a
Fix buffer overrun if idx is negative (it can be down to -23>>4), by prepending
two padding zeroes before it. Should fix fate failures on openBSD and crashes
on MacOSX (that I cannot reproduce).

diff -r e402b74c4b62 -r 2ba9068e748d wmavoice.c
--- a/wmavoice.c	Mon Aug 09 07:17:01 2010 +0000
+++ b/wmavoice.c	Mon Aug 09 13:54:59 2010 +0000
@@ -1033,7 +1033,8 @@
 static void aw_pulse_set2(WMAVoiceContext *s, GetBitContext *gb,
                           int block_idx, AMRFixed *fcb)
 {
-    uint16_t use_mask[7]; // only 5 are used, rest is padding
+    uint16_t use_mask_mem[9]; // only 5 are used, rest is padding
+    uint16_t *use_mask = use_mask_mem + 2;
     /* in this function, idx is the index in the 80-bit (+ padding) use_mask
      * bit-array. Since use_mask consists of 16-bit values, the lower 4 bits
      * of idx are the position of the bit within a particular item in the
@@ -1065,6 +1066,7 @@
     /* aw_pulse_set1() already applies pulses around pulse_off (to be exactly,
      * in the range of [pulse_off, pulse_off + s->aw_pulse_range], and thus
      * we exclude that range from being pulsed again in this function. */
+    memset(&use_mask[-2], 0, 2 * sizeof(use_mask[0]));
     memset( use_mask,   -1, 5 * sizeof(use_mask[0]));
     memset(&use_mask[5], 0, 2 * sizeof(use_mask[0]));
     if (s->aw_n_pulses[block_idx] > 0)