rpms / libvpx

Clone
Source Code
GIT

Blame SOURCES/0001-CVE-2019-9232-Fix-OOB-memory-access-on-fuzzed-data.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9 c9-beta
  1.   5ee27c0120c10bc59d3e9091f0df5d3825efd562
  2.   SOURCES
  3.   0001-CVE-2019-9232-Fix-OOB-memory-access-on-fuzzed-data.patch
Blob History Raw
5ee27c 
From d4a359feea3b2d1ca8dc1493d0fb4aac376fb967 Mon Sep 17 00:00:00 2001
5ee27c 
From: Wim Taymans <wtaymans@redhat.com>
5ee27c 
Date: Wed, 25 Mar 2020 12:26:24 +0100
5ee27c 
Subject: [PATCH 1/2] CVE-2019-9232: Fix OOB memory access on fuzzed data
5ee27c
5ee27c 
vp8_norm table has 256 elements while index to it can be higher on
5ee27c 
fuzzed data. Typecasting it to unsigned char will ensure valid range and
5ee27c 
will trigger proper error later. Also declaring "shift" as unsigned char to
5ee27c 
avoid UB sanitizer warning
5ee27c 
---
5ee27c 
 vp8/decoder/dboolhuff.h     | 2 +-
5ee27c 
 vp9/decoder/vp9_dboolhuff.h | 2 +-
5ee27c 
 2 files changed, 2 insertions(+), 2 deletions(-)
5ee27c
5ee27c 
diff --git a/vp8/decoder/dboolhuff.h b/vp8/decoder/dboolhuff.h
5ee27c 
index 4c0ca1ce7..00a330723 100644
5ee27c 
--- a/vp8/decoder/dboolhuff.h
5ee27c 
+++ b/vp8/decoder/dboolhuff.h
5ee27c 
@@ -84,7 +84,7 @@ static int vp8dx_decode_bool(BOOL_DECODER *br, int probability) {
5ee27c 
     }
5ee27c
5ee27c 
     {
5ee27c 
-        register unsigned int shift = vp8_norm[range];
5ee27c 
+        register unsigned char shift = vp8_norm[(unsigned char)range];
5ee27c 
         range <<= shift;
5ee27c 
         value <<= shift;
5ee27c 
         count -= shift;
5ee27c 
diff --git a/vp9/decoder/vp9_dboolhuff.h b/vp9/decoder/vp9_dboolhuff.h
5ee27c 
index fd8e74ca4..0f3634a06 100644
5ee27c 
--- a/vp9/decoder/vp9_dboolhuff.h
5ee27c 
+++ b/vp9/decoder/vp9_dboolhuff.h
5ee27c 
@@ -63,7 +63,7 @@ static int vp9_read(vp9_reader *br, int probability) {
5ee27c 
   }
5ee27c
5ee27c 
   {
5ee27c 
-    register unsigned int shift = vp9_norm[range];
5ee27c 
+    register unsigned char shift = vp9_norm[(unsigned char)range];
5ee27c 
     range <<= shift;
5ee27c 
     value <<= shift;
5ee27c 
     count -= shift;
5ee27c 
--
5ee27c 
2.25.1
5ee27c

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation