[FFmpeg-cvslog] r24675 - trunk/libavcodec/vorbis_dec.c
alexc
subversion
Tue Aug 3 02:25:06 CEST 2010
Author: alexc
Date: Tue Aug 3 02:25:06 2010
New Revision: 24675
Log:
vorbisdec: Prevent a potential integer overflow.
If sizeof uint_fast8_t > 1 and sizeof size_t <= 4, the expression that mallocs
classifs is susceptible to integer overflow.
Modified:
trunk/libavcodec/vorbis_dec.c
Modified: trunk/libavcodec/vorbis_dec.c
==============================================================================
--- trunk/libavcodec/vorbis_dec.c Tue Aug 3 01:49:49 2010 (r24674)
+++ trunk/libavcodec/vorbis_dec.c Tue Aug 3 02:25:06 2010 (r24675)
@@ -103,7 +103,7 @@ typedef struct {
int_fast16_t books[64][8];
uint_fast8_t maxpass;
uint_fast16_t ptns_to_read;
- uint_fast8_t *classifs;
+ uint8_t *classifs;
} vorbis_residue;
typedef struct {
@@ -1267,7 +1267,7 @@ static av_always_inline int vorbis_resid
GetBitContext *gb = &vc->gb;
uint_fast8_t c_p_c = vc->codebooks[vr->classbook].dimensions;
uint_fast16_t ptns_to_read = vr->ptns_to_read;
- uint_fast8_t *classifs = vr->classifs;
+ uint8_t *classifs = vr->classifs;
uint_fast8_t pass;
uint_fast8_t ch_used;
uint_fast8_t i,j,l;
More information about the ffmpeg-cvslog
mailing list