From 953b0b85f8462efeac179341c912617c1bae8d4c Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Wed, 25 Mar 2020 13:39:30 +0100
Subject: [PATCH 1/2] CVE-2019-9232: Fix OOB memory access on fuzzed data
vp8_norm table has 256 elements while index to it can be higher on
fuzzed data. Typecasting it to unsigned char will ensure valid range and
will trigger proper error later. Also declaring "shift" as unsigned char to
avoid UB sanitizer warning
BUG=b/122373286,b/122373822,b/122371119
---
vp8/decoder/dboolhuff.h | 2 +-
vpx_dsp/bitreader.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/vp8/decoder/dboolhuff.h b/vp8/decoder/dboolhuff.h
index 04c027cd7..f3b080509 100644
--- a/vp8/decoder/dboolhuff.h
+++ b/vp8/decoder/dboolhuff.h
@@ -76,7 +76,7 @@ static int vp8dx_decode_bool(BOOL_DECODER *br, int probability) {
}
{
- register int shift = vp8_norm[range];
+ register unsigned char shift = vp8_norm[(unsigned char)range];
range <<= shift;
value <<= shift;
count -= shift;
diff --git a/vpx_dsp/bitreader.h b/vpx_dsp/bitreader.h
index 6ee2a5863..4b87e986c 100644
--- a/vpx_dsp/bitreader.h
+++ b/vpx_dsp/bitreader.h
@@ -94,7 +94,7 @@ static INLINE int vpx_read(vpx_reader *r, int prob) {
}
{
- register int shift = vpx_norm[range];
+ register unsigned char shift = vpx_norm[(unsigned char)range];
range <<= shift;
value <<= shift;
count -= shift;
--
2.25.1