Commit d9c0b177 authored by Monty's avatar Monty

If fuzzing swaps in a codebook that allows values outside the circular

range of the piecewise representation, it can overflow the lookup.
Proper fix here is just a simple clamp.




git-svn-id: https://svn.xiph.org/trunk/Tremor@17543 0101bb08-14d6-0310-b084-bc0e0c8e3800
parent 55be1042
......@@ -394,7 +394,7 @@ static void *floor1_inverse1(vorbis_block *vb,vorbis_look_floor *in){
}
}
fit_value[i]=val+predicted;
fit_value[i]=(val+predicted)&0x7fff;;
fit_value[look->loneighbor[i-2]]&=0x7fff;
fit_value[look->hineighbor[i-2]]&=0x7fff;
......@@ -425,14 +425,20 @@ static int floor1_inverse2(vorbis_block *vb,vorbis_look_floor *in,void *memo,
int hx=0;
int lx=0;
int ly=fit_value[0]*info->mult;
/* guard lookup against out-of-rage values */
ly=(ly<0?0:ly>255?255:ly);
for(j=1;j<look->posts;j++){
int current=look->forward_index[j];
int hy=fit_value[current]&0x7fff;
if(hy==fit_value[current]){
hy*=info->mult;
hx=info->postlist[current];
hy*=info->mult;
/* guard lookup against out-of-rage values */
hy=(hy<0?0:hy>255?255:hy);
render_line(n,lx,hx,ly,hy,out);
lx=hx;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment