rpms / libvpx

Clone
Source Code
GIT

Blame SOURCES/0001-CVE-2019-9232-Fix-OOB-memory-access-on-fuzzed-data.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9 c9-beta
  1.   d88f5787614b5b4c17b49ada5076a70be443ddf0
  2.   SOURCES
  3.   0001-CVE-2019-9232-Fix-OOB-memory-access-on-fuzzed-data.patch
Blob History Raw
d88f57 
From d4a359feea3b2d1ca8dc1493d0fb4aac376fb967 Mon Sep 17 00:00:00 2001
d88f57 
From: Wim Taymans <wtaymans@redhat.com>
d88f57 
Date: Wed, 25 Mar 2020 12:26:24 +0100
d88f57 
Subject: [PATCH 1/2] CVE-2019-9232: Fix OOB memory access on fuzzed data
d88f57
d88f57 
vp8_norm table has 256 elements while index to it can be higher on
d88f57 
fuzzed data. Typecasting it to unsigned char will ensure valid range and
d88f57 
will trigger proper error later. Also declaring "shift" as unsigned char to
d88f57 
avoid UB sanitizer warning
d88f57 
---
d88f57 
 vp8/decoder/dboolhuff.h     | 2 +-
d88f57 
 vp9/decoder/vp9_dboolhuff.h | 2 +-
d88f57 
 2 files changed, 2 insertions(+), 2 deletions(-)
d88f57
d88f57 
diff --git a/vp8/decoder/dboolhuff.h b/vp8/decoder/dboolhuff.h
d88f57 
index 4c0ca1ce7..00a330723 100644
d88f57 
--- a/vp8/decoder/dboolhuff.h
d88f57 
+++ b/vp8/decoder/dboolhuff.h
d88f57 
@@ -84,7 +84,7 @@ static int vp8dx_decode_bool(BOOL_DECODER *br, int probability) {
d88f57 
     }
d88f57
d88f57 
     {
d88f57 
-        register unsigned int shift = vp8_norm[range];
d88f57 
+        register unsigned char shift = vp8_norm[(unsigned char)range];
d88f57 
         range <<= shift;
d88f57 
         value <<= shift;
d88f57 
         count -= shift;
d88f57 
diff --git a/vp9/decoder/vp9_dboolhuff.h b/vp9/decoder/vp9_dboolhuff.h
d88f57 
index fd8e74ca4..0f3634a06 100644
d88f57 
--- a/vp9/decoder/vp9_dboolhuff.h
d88f57 
+++ b/vp9/decoder/vp9_dboolhuff.h
d88f57 
@@ -63,7 +63,7 @@ static int vp9_read(vp9_reader *br, int probability) {
d88f57 
   }
d88f57
d88f57 
   {
d88f57 
-    register unsigned int shift = vp9_norm[range];
d88f57 
+    register unsigned char shift = vp9_norm[(unsigned char)range];
d88f57 
     range <<= shift;
d88f57 
     value <<= shift;
d88f57 
     count -= shift;
d88f57 
--
d88f57 
2.25.1
d88f57

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation