Skip to content
Permalink
Browse files

Fix OOB memory access on fuzzed data

vp8_norm table has 256 elements while index to it can be higher on
fuzzed data. Typecasting it to unsigned char will ensure valid range and
will trigger proper error later. Also declaring "shift" as unsigned char to
avoid UB sanitizer warning

BUG=b/122373286,b/122373822,b/122371119

Change-Id: I3cef1d07f107f061b1504976a405fa0865afe9f5
  • Loading branch information
kyslov
kyslov committed Jan 5, 2019
1 parent b625feb commit 46e17f0cb4a80b36755c84b8bf15731d3386c08f
Showing with 2 additions and 2 deletions.
  1. +1 −1 vp8/decoder/dboolhuff.h
  2. +1 −1 vpx_dsp/bitreader.h
@@ -76,7 +76,7 @@ static int vp8dx_decode_bool(BOOL_DECODER *br, int probability) {
}

{
const int shift = vp8_norm[range];
const unsigned char shift = vp8_norm[(unsigned char)range];
range <<= shift;
value <<= shift;
count -= shift;
@@ -94,7 +94,7 @@ static INLINE int vpx_read(vpx_reader *r, int prob) {
}

{
const int shift = vpx_norm[range];
const unsigned char shift = vpx_norm[(unsigned char)range];
range <<= shift;
value <<= shift;
count -= shift;

0 comments on commit 46e17f0

Please sign in to comment.
You can’t perform that action at this time.