From d4a359feea3b2d1ca8dc1493d0fb4aac376fb967 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Wed, 25 Mar 2020 12:26:24 +0100
Subject: [PATCH 1/2] CVE-2019-9232: Fix OOB memory access on fuzzed data

vp8_norm table has 256 elements while index to it can be higher on
fuzzed data. Typecasting it to unsigned char will ensure valid range and
will trigger proper error later. Also declaring "shift" as unsigned char to
avoid UB sanitizer warning
---
 vp8/decoder/dboolhuff.h     | 2 +-
 vp9/decoder/vp9_dboolhuff.h | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/vp8/decoder/dboolhuff.h b/vp8/decoder/dboolhuff.h
index 4c0ca1ce7..00a330723 100644
--- a/vp8/decoder/dboolhuff.h
+++ b/vp8/decoder/dboolhuff.h
@@ -84,7 +84,7 @@ static int vp8dx_decode_bool(BOOL_DECODER *br, int probability) {
     }
 
     {
-        register unsigned int shift = vp8_norm[range];
+        register unsigned char shift = vp8_norm[(unsigned char)range];
         range <<= shift;
         value <<= shift;
         count -= shift;
diff --git a/vp9/decoder/vp9_dboolhuff.h b/vp9/decoder/vp9_dboolhuff.h
index fd8e74ca4..0f3634a06 100644
--- a/vp9/decoder/vp9_dboolhuff.h
+++ b/vp9/decoder/vp9_dboolhuff.h
@@ -63,7 +63,7 @@ static int vp9_read(vp9_reader *br, int probability) {
   }
 
   {
-    register unsigned int shift = vp9_norm[range];
+    register unsigned char shift = vp9_norm[(unsigned char)range];
     range <<= shift;
     value <<= shift;
     count -= shift;
-- 
2.25.1