From 953b0b85f8462efeac179341c912617c1bae8d4c Mon Sep 17 00:00:00 2001

From: Wim Taymans <wtaymans@redhat.com>

Date: Wed, 25 Mar 2020 13:39:30 +0100

Subject: [PATCH 1/2] CVE-2019-9232: Fix OOB memory access on fuzzed data

vp8_norm table has 256 elements while index to it can be higher on

fuzzed data. Typecasting it to unsigned char will ensure valid range and

will trigger proper error later. Also declaring "shift" as unsigned char to

avoid UB sanitizer warning

BUG=b/122373286,b/122373822,b/122371119

---

 vp8/decoder/dboolhuff.h | 2 +-

 vpx_dsp/bitreader.h     | 2 +-

 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/vp8/decoder/dboolhuff.h b/vp8/decoder/dboolhuff.h

index 04c027cd7..f3b080509 100644

--- a/vp8/decoder/dboolhuff.h

+++ b/vp8/decoder/dboolhuff.h

@@ -76,7 +76,7 @@ static int vp8dx_decode_bool(BOOL_DECODER *br, int probability) {

   }

   {

-    register int shift = vp8_norm[range];

+    register unsigned char shift = vp8_norm[(unsigned char)range];

     range <<= shift;

     value <<= shift;

     count -= shift;

diff --git a/vpx_dsp/bitreader.h b/vpx_dsp/bitreader.h

index 6ee2a5863..4b87e986c 100644

--- a/vpx_dsp/bitreader.h

+++ b/vpx_dsp/bitreader.h

@@ -94,7 +94,7 @@ static INLINE int vpx_read(vpx_reader *r, int prob) {

   }

   {

-    register int shift = vpx_norm[range];

+    register unsigned char shift = vpx_norm[(unsigned char)range];

     range <<= shift;

     value <<= shift;

     count -= shift;

-- 

2.25.1