From 366d919016a679d3955f6fe5278fa7ce4f47b81e Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Tue, 3 Aug 2010 00:25:06 +0000 Subject: [PATCH] vorbisdec: Prevent a potential integer overflow. If sizeof uint_fast8_t > 1 and sizeof size_t <= 4, the expression that mallocs classifs is susceptible to integer overflow. Originally committed as revision 24675 to svn://svn.ffmpeg.org/ffmpeg/trunk --- libavcodec/vorbis_dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vorbis_dec.c b/libavcodec/vorbis_dec.c index 1772e55..b543f5c 100644 --- a/libavcodec/vorbis_dec.c +++ b/libavcodec/vorbis_dec.c @@ -103,7 +103,7 @@ typedef struct { int_fast16_t books[64][8]; uint_fast8_t maxpass; uint_fast16_t ptns_to_read; - uint_fast8_t *classifs; + uint8_t *classifs; } vorbis_residue; typedef struct { @@ -1267,7 +1267,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, GetBitContext *gb = &vc->gb; uint_fast8_t c_p_c = vc->codebooks[vr->classbook].dimensions; uint_fast16_t ptns_to_read = vr->ptns_to_read; - uint_fast8_t *classifs = vr->classifs; + uint8_t *classifs = vr->classifs; uint_fast8_t pass; uint_fast8_t ch_used; uint_fast8_t i,j,l; -- 2.7.4