Fix OOB memory access on fuzzed data

vp8_norm table has 256 elements while index to it can be higher on
fuzzed data. Typecasting it to unsigned char will ensure valid range and
will trigger proper error later. Also declaring "shift" as unsigned char to
avoid UB sanitizer warning

BUG=b/122373286,b/122373822,b/122371119

Change-Id: I3cef1d07f107f061b1504976a405fa0865afe9f5

diff --git a/vp8/decoder/dboolhuff.h b/vp8/decoder/dboolhuff.h
index e342d7c..f2a18f0 100644 (file)
--- a/vp8/decoder/dboolhuff.h
+++ b/vp8/decoder/dboolhuff.h
@@ -76,7 +76,7 @@ static int vp8dx_decode_bool(BOOL_DECODER *br, int probability) {
   }
 
   {
-    const int shift = vp8_norm[range];
+    const unsigned char shift = vp8_norm[(unsigned char)range];
     range <<= shift;
     value <<= shift;
     count -= shift;

diff --git a/vpx_dsp/bitreader.h b/vpx_dsp/bitreader.h
index fbc1003..68e1bd6 100644 (file)
--- a/vpx_dsp/bitreader.h
+++ b/vpx_dsp/bitreader.h
@@ -94,7 +94,7 @@ static INLINE int vpx_read(vpx_reader *r, int prob) {
   }
 
   {
-    const int shift = vpx_norm[range];
+    const unsigned char shift = vpx_norm[(unsigned char)range];
     range <<= shift;
     value <<= shift;
     count -= shift;