File CVE-2019-9232.patch of Package libvpx.30873

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2019-9232.patch of Package libvpx.30873

commit 46e17f0cb4a80b36755c84b8bf15731d3386c08f
Author: Fyodor Kyslov <kyslov@google.com>
Date:   Fri Jan 4 17:04:09 2019 -0800

Fix OOB memory access on fuzzed data
    
    vp8_norm table has 256 elements while index to it can be higher on
    fuzzed data. Typecasting it to unsigned char will ensure valid range and
    will trigger proper error later. Also declaring "shift" as unsigned char to
    avoid UB sanitizer warning
    
    BUG=b/122373286,b/122373822,b/122371119
    
    Change-Id: I3cef1d07f107f061b1504976a405fa0865afe9f5

Index: libvpx-1.6.1/vp8/decoder/dboolhuff.h
===================================================================
--- libvpx-1.6.1.orig/vp8/decoder/dboolhuff.h
+++ libvpx-1.6.1/vp8/decoder/dboolhuff.h
@@ -76,7 +76,7 @@ static int vp8dx_decode_bool(BOOL_DECODE
   }
 
   {
-    register int shift = vp8_norm[range];
+    const unsigned char shift = vp8_norm[(unsigned char)range];
     range <<= shift;
     value <<= shift;
     count -= shift;
Index: libvpx-1.6.1/vpx_dsp/bitreader.h
===================================================================
--- libvpx-1.6.1.orig/vpx_dsp/bitreader.h
+++ libvpx-1.6.1/vpx_dsp/bitreader.h
@@ -94,7 +94,7 @@ static INLINE int vpx_read(vpx_reader *r
   }
 
   {
-    register int shift = vpx_norm[range];
+    const unsigned char shift = vpx_norm[(unsigned char)range];
     range <<= shift;
     value <<= shift;
     count -= shift;

Places

File CVE-2019-9232.patch of Package libvpx.30873

Places