# HG changeset patch
# User alexc
# Date 1280795106 0
# Node ID bc21b45eba99d5e61373c2a5e0b6c329ff429f17
# Parent  015c13a563dddae711081329b86eba64ae5e7a33
vorbisdec: Prevent a potential integer overflow.

If sizeof uint_fast8_t > 1 and sizeof size_t <= 4, the expression that mallocs
classifs  is susceptible to integer overflow.

diff -r 015c13a563dd -r bc21b45eba99 vorbis_dec.c
--- a/vorbis_dec.c	Mon Aug 02 23:49:49 2010 +0000
+++ b/vorbis_dec.c	Tue Aug 03 00:25:06 2010 +0000
@@ -103,7 +103,7 @@
     int_fast16_t  books[64][8];
     uint_fast8_t  maxpass;
     uint_fast16_t ptns_to_read;
-    uint_fast8_t *classifs;
+    uint8_t *classifs;
 } vorbis_residue;
 
 typedef struct {
@@ -1267,7 +1267,7 @@
     GetBitContext *gb = &vc->gb;
     uint_fast8_t c_p_c = vc->codebooks[vr->classbook].dimensions;
     uint_fast16_t ptns_to_read = vr->ptns_to_read;
-    uint_fast8_t *classifs = vr->classifs;
+    uint8_t *classifs = vr->classifs;
     uint_fast8_t pass;
     uint_fast8_t ch_used;
     uint_fast8_t i,j,l;