File CVE-2019-9232.patch of Package libvpx.14316
commit 46e17f0cb4a80b36755c84b8bf15731d3386c08f
Author: Fyodor Kyslov <kyslov@google.com>
Date: Fri Jan 4 17:04:09 2019 -0800
Fix OOB memory access on fuzzed data
vp8_norm table has 256 elements while index to it can be higher on
fuzzed data. Typecasting it to unsigned char will ensure valid range and
will trigger proper error later. Also declaring "shift" as unsigned char to
avoid UB sanitizer warning
BUG=b/122373286,b/122373822,b/122371119
Change-Id: I3cef1d07f107f061b1504976a405fa0865afe9f5
Index: libvpx-1.6.1/vp8/decoder/dboolhuff.h
===================================================================
--- libvpx-1.6.1.orig/vp8/decoder/dboolhuff.h
+++ libvpx-1.6.1/vp8/decoder/dboolhuff.h
@@ -76,7 +76,7 @@ static int vp8dx_decode_bool(BOOL_DECODE
}
{
- register int shift = vp8_norm[range];
+ const unsigned char shift = vp8_norm[(unsigned char)range];
range <<= shift;
value <<= shift;
count -= shift;
Index: libvpx-1.6.1/vpx_dsp/bitreader.h
===================================================================
--- libvpx-1.6.1.orig/vpx_dsp/bitreader.h
+++ libvpx-1.6.1/vpx_dsp/bitreader.h
@@ -94,7 +94,7 @@ static INLINE int vpx_read(vpx_reader *r
}
{
- register int shift = vpx_norm[range];
+ const unsigned char shift = vpx_norm[(unsigned char)range];
range <<= shift;
value <<= shift;
count -= shift;