diff options
author | Wei Jia <wjia@google.com> | 2015-09-08 09:35:22 -0700 |
---|---|---|
committer | Wei Jia <wjia@google.com> | 2015-09-08 10:04:14 -0700 |
commit | 9c91d74747d890e1bf5ca3a444ec62838823c083 (patch) | |
tree | 130d8eb412c78c23a62d2e0f094b615134e0f139 | |
parent | d20630f5f7c3eb2a108e94f40a063a34f720d0da (diff) | |
download | tremolo-9c91d74747d890e1bf5ca3a444ec62838823c083.tar.gz |
libvorbisidec: sanity check index of marker.android-6.0.0_r26android-6.0.0_r25android-6.0.0_r24android-6.0.0_r23android-6.0.0_r13android-6.0.0_r12android-6.0.0_r11marshmallow-dr-release
Bug: 23881715
Change-Id: I6b9185fc41341f997dca25f6394dcaab0927487b
-rw-r--r-- | Android.mk | 2 | ||||
-rw-r--r-- | Tremolo/codebook.c | 12 |
2 files changed, 11 insertions, 3 deletions
@@ -36,6 +36,8 @@ LOCAL_CFLAGS+= -O2 LOCAL_C_INCLUDES:= \ $(LOCAL_PATH)/Tremolo +LOCAL_SHARED_LIBRARIES := liblog + LOCAL_ARM_MODE := arm LOCAL_MODULE := libvorbisidec diff --git a/Tremolo/codebook.c b/Tremolo/codebook.c index 66979dc..ff280b7 100644 --- a/Tremolo/codebook.c +++ b/Tremolo/codebook.c @@ -39,12 +39,14 @@ #include <string.h> #include <math.h> #include <limits.h> +#include <log/log.h> #include "ogg.h" #include "ivorbiscodec.h" #include "codebook.h" #include "misc.h" #include "os.h" +#define MARKER_SIZE 33 /**** pack/unpack helpers ******************************************/ int _ilog(unsigned int v){ @@ -145,7 +147,7 @@ static int _make_words(char *l,long n,ogg_uint32_t *r,long quantvals, codebook *b, oggpack_buffer *opb,int maptype){ long i,j,count=0; long top=0; - ogg_uint32_t marker[33]; + ogg_uint32_t marker[MARKER_SIZE]; if (n<1) return 1; @@ -158,6 +160,10 @@ static int _make_words(char *l,long n,ogg_uint32_t *r,long quantvals, for(i=0;i<n;i++){ long length=l[i]; if(length){ + if (length < 0 || length >= MARKER_SIZE) { + ALOGE("b/23881715"); + return 1; + } ogg_uint32_t entry=marker[length]; long chase=0; if(count && !entry)return -1; /* overpopulated tree! */ @@ -200,7 +206,7 @@ static int _make_words(char *l,long n,ogg_uint32_t *r,long quantvals, /* prune the tree; the implicit invariant says all the longer markers were dangling from our just-taken node. Dangle them from our *new* node. */ - for(j=length+1;j<33;j++) + for(j=length+1;j<MARKER_SIZE;j++) if((marker[j]>>1) == entry){ entry=marker[j]; marker[j]=marker[j-1]<<1; @@ -217,7 +223,7 @@ static int _make_words(char *l,long n,ogg_uint32_t *r,long quantvals, really exist; there's only one possible 'codeword' or zero bits, but the above tree-gen code doesn't mark that. */ if(b->used_entries != 1){ - for(i=1;i<33;i++) + for(i=1;i<MARKER_SIZE;i++) if(marker[i] & (0xffffffffUL>>(32-i))){ return 1; } |