Specwriting found a possible stack smash in floor0.c decode. repaired
authorMonty <xiphmont@xiph.org>
Wed, 17 Jul 2002 21:34:31 +0000 (21:34 +0000)
committerMonty <xiphmont@xiph.org>
Wed, 17 Jul 2002 21:34:31 +0000 (21:34 +0000)
svn path=/trunk/vorbis/; revision=3651

lib/floor0.c

index 34376ea..5b0d68e 100644 (file)
@@ -11,7 +11,7 @@
  ********************************************************************
 
  function: floor backend 0 implementation
- last mod: $Id: floor0.c,v 1.52 2002/06/28 22:19:35 xiphmont Exp $
+ last mod: $Id: floor0.c,v 1.53 2002/07/17 21:34:31 xiphmont Exp $
 
  ********************************************************************/
 
@@ -181,7 +181,11 @@ static void *floor0_inverse1(vorbis_block *vb,vorbis_look_floor *i){
       codec_setup_info  *ci=vb->vd->vi->codec_setup;
       codebook *b=ci->fullbooks+info->books[booknum];
       float last=0.f;
-      float *lsp=_vorbis_block_alloc(vb,sizeof(*lsp)*(look->m+1));
+
+      /* the additional b->dim is a guard against any possible stack
+         smash; b->dim is provably more than we can overflow the
+         vector */
+      float *lsp=_vorbis_block_alloc(vb,sizeof(*lsp)*(look->m+b->dim+1));
             
       for(j=0;j<look->m;j+=b->dim)
        if(vorbis_book_decodev_set(b,lsp+j,&vb->opb,b->dim)==-1)goto eop;