Backport codebook out-of-bounds write fix from main branch

Backports commit 562307a4 from
tremor main branch:

    Prevent out-of-bounds write in codebook decoding.

    Codebooks that are not an exact divisor of the partition size are now
    truncated to fit within the partition.
parent 550bb0a2
...@@ -738,7 +738,7 @@ long vorbis_book_decodev_add(codebook *book,ogg_int32_t *a, ...@@ -738,7 +738,7 @@ long vorbis_book_decodev_add(codebook *book,ogg_int32_t *a,
for(i=0;i<n;){ for(i=0;i<n;){
if(decode_map(book,b,v,point))return -1; if(decode_map(book,b,v,point))return -1;
for (j=0;j<book->dim;j++) for (j=0;i<n && j<book->dim;j++)
a[i++]+=v[j]; a[i++]+=v[j];
} }
} }
...@@ -779,10 +779,11 @@ long vorbis_book_decodevv_add(codebook *book,ogg_int32_t **a, ...@@ -779,10 +779,11 @@ long vorbis_book_decodevv_add(codebook *book,ogg_int32_t **a,
ogg_int32_t *v = (ogg_int32_t *)alloca(sizeof(*v)*book->dim); ogg_int32_t *v = (ogg_int32_t *)alloca(sizeof(*v)*book->dim);
long i,j; long i,j;
int chptr=0; int chptr=0;
long m=offset+n;
for(i=offset;i<offset+n;){ for(i=offset;i<m;){
if(decode_map(book,b,v,point))return -1; if(decode_map(book,b,v,point))return -1;
for (j=0;j<book->dim;j++){ for (j=0;i<m && j<book->dim;j++){
a[chptr++][i]+=v[j]; a[chptr++][i]+=v[j];
if(chptr==ch){ if(chptr==ch){
chptr=0; chptr=0;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment