From 3ada73cc10e6da279bf3b6458e30343ed7d2f01e Mon Sep 17 00:00:00 2001
From: Tim Terriberry <tterribe@xiph.org>
Date: Fri, 15 Oct 2010 02:52:29 +0000
Subject: [PATCH] Fix decoder handling of floor0 when the LSP order is 1.

Header setup allows the LSP order to be as low as one, but the code in
 vorbis_lsp_to_curve() assumed it was at least two.
This wasn't terrible in libvorbis... it would multiply a nonsense (but defined)
 value into the output, and nothing more.
In Tremor, it referenced several completely undefined (stack) values, which
 could cause out-of-bounds lookup table accesses and crashes.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17538 0101bb08-14d6-0310-b084-bc0e0c8e3800
---
 asm_arm.h | 10 ++++++----
 floor0.c  | 23 +++++++++++++----------
 2 files changed, 19 insertions(+), 14 deletions(-)

diff --git a/asm_arm.h b/asm_arm.h
index 3a3716d..c3bda00 100644
--- a/asm_arm.h
+++ b/asm_arm.h
@@ -132,8 +132,9 @@ static inline void lsp_loop_asm(ogg_uint32_t *qip,ogg_uint32_t *pip,
   ogg_int32_t qexp=*qexpp;
 
   asm("mov     r0,%3;"
-      "mov     r1,%5,asr#1;"
+      "movs    r1,%5,asr#1;"
       "add     r0,r0,r1,lsl#3;"
+      "beq 2f;\n"
       "1:"
       
       "ldmdb   r0!,{r1,r3};"
@@ -156,9 +157,10 @@ static inline void lsp_loop_asm(ogg_uint32_t *qip,ogg_uint32_t *pip,
       "cmp     r0,%3;\n"
       "bhi     1b;\n"
       
+      "2:"
       // odd filter assymetry
       "ands    r0,%5,#1;\n"
-      "beq     2f;\n"
+      "beq     3f;\n"
       "add     r0,%3,%5,lsl#2;\n"
       
       "ldr     r1,[r0,#-4];\n"
@@ -170,7 +172,7 @@ static inline void lsp_loop_asm(ogg_uint32_t *qip,ogg_uint32_t *pip,
       "umull   %1,r3,r0,%1;\n"       //pi*=labs(ilsp[j+1]-wi)
       
       "cmn     r2,r3;\n"             // shift down 16?
-      "beq     2f;\n"
+      "beq     3f;\n"
       "add     %2,%2,#16;\n"
       "mov     %0,%0,lsr #16;\n"
       "orr     %0,%0,r2,lsl #16;\n"
@@ -184,7 +186,7 @@ static inline void lsp_loop_asm(ogg_uint32_t *qip,ogg_uint32_t *pip,
       //}
 	 
       /* normalize to max 16 sig figs */
-      "2:"
+      "3:"
       "mov     r2,#0;"
       "orr     r1,%0,%1;"
       "tst     r1,#0xff000000;"
diff --git a/floor0.c b/floor0.c
index 3f17950..5c58f77 100644
--- a/floor0.c
+++ b/floor0.c
@@ -197,16 +197,19 @@ void vorbis_lsp_to_curve(ogg_int32_t *curve,int *map,int n,int ln,
 
 #else
 
-    qi*=labs(ilsp[0]-wi);
-    pi*=labs(ilsp[1]-wi);
-
-    for(j=3;j<m;j+=2){
-      if(!(shift=MLOOP_1[(pi|qi)>>25]))
-	if(!(shift=MLOOP_2[(pi|qi)>>19]))
-	  shift=MLOOP_3[(pi|qi)>>16];
-      qi=(qi>>shift)*labs(ilsp[j-1]-wi);
-      pi=(pi>>shift)*labs(ilsp[j]-wi);
-      qexp+=shift;
+    j=1;
+    if(m>1){
+      qi*=labs(ilsp[0]-wi);
+      pi*=labs(ilsp[1]-wi);
+
+      for(j+=2;j<m;j+=2){
+        if(!(shift=MLOOP_1[(pi|qi)>>25]))
+          if(!(shift=MLOOP_2[(pi|qi)>>19]))
+            shift=MLOOP_3[(pi|qi)>>16];
+        qi=(qi>>shift)*labs(ilsp[j-1]-wi);
+        pi=(pi>>shift)*labs(ilsp[j]-wi);
+        qexp+=shift;
+      }
     }
     if(!(shift=MLOOP_1[(pi|qi)>>25]))
       if(!(shift=MLOOP_2[(pi|qi)>>19]))
-- 
GitLab