diff options
| author | Wei Jia <wjia@google.com> | 2015-09-08 09:35:22 -0700 |
|---|---|---|
| committer | The Android Automerger <android-build@google.com> | 2015-09-28 17:08:05 -0700 |
| commit | 724d251615128fe410eb0d68d4a521d9a135841d (patch) | |
| tree | 130d8eb412c78c23a62d2e0f094b615134e0f139 | |
| parent | 0ec5338fec5ab4f39842066fb64534a155b1e314 (diff) | |
| download | tremolo-marshmallow-release.tar.gz | |
libvorbisidec: sanity check index of marker.android-cts-6.0_r9android-cts-6.0_r8android-cts-6.0_r7android-cts-6.0_r6android-cts-6.0_r5android-cts-6.0_r4android-cts-6.0_r32android-cts-6.0_r31android-cts-6.0_r30android-cts-6.0_r3android-cts-6.0_r29android-cts-6.0_r28android-cts-6.0_r27android-cts-6.0_r26android-cts-6.0_r25android-cts-6.0_r24android-cts-6.0_r23android-cts-6.0_r22android-cts-6.0_r21android-cts-6.0_r20android-cts-6.0_r2android-cts-6.0_r19android-cts-6.0_r18android-cts-6.0_r17android-cts-6.0_r16android-cts-6.0_r15android-cts-6.0_r14android-cts-6.0_r13android-cts-6.0_r12android-6.0.0_r7android-6.0.0_r6android-6.0.0_r5android-6.0.0_r4android-6.0.0_r3android-6.0.0_r2marshmallow-releasemarshmallow-cts-release
Bug: 23881715
Change-Id: I6b9185fc41341f997dca25f6394dcaab0927487b
| -rw-r--r-- | Android.mk | 2 | ||||
| -rw-r--r-- | Tremolo/codebook.c | 12 |
2 files changed, 11 insertions, 3 deletions
@@ -36,6 +36,8 @@ LOCAL_CFLAGS+= -O2 LOCAL_C_INCLUDES:= \ $(LOCAL_PATH)/Tremolo +LOCAL_SHARED_LIBRARIES := liblog + LOCAL_ARM_MODE := arm LOCAL_MODULE := libvorbisidec diff --git a/Tremolo/codebook.c b/Tremolo/codebook.c index 66979dc..ff280b7 100644 --- a/Tremolo/codebook.c +++ b/Tremolo/codebook.c @@ -39,12 +39,14 @@ #include <string.h> #include <math.h> #include <limits.h> +#include <log/log.h> #include "ogg.h" #include "ivorbiscodec.h" #include "codebook.h" #include "misc.h" #include "os.h" +#define MARKER_SIZE 33 /**** pack/unpack helpers ******************************************/ int _ilog(unsigned int v){ @@ -145,7 +147,7 @@ static int _make_words(char *l,long n,ogg_uint32_t *r,long quantvals, codebook *b, oggpack_buffer *opb,int maptype){ long i,j,count=0; long top=0; - ogg_uint32_t marker[33]; + ogg_uint32_t marker[MARKER_SIZE]; if (n<1) return 1; @@ -158,6 +160,10 @@ static int _make_words(char *l,long n,ogg_uint32_t *r,long quantvals, for(i=0;i<n;i++){ long length=l[i]; if(length){ + if (length < 0 || length >= MARKER_SIZE) { + ALOGE("b/23881715"); + return 1; + } ogg_uint32_t entry=marker[length]; long chase=0; if(count && !entry)return -1; /* overpopulated tree! */ @@ -200,7 +206,7 @@ static int _make_words(char *l,long n,ogg_uint32_t *r,long quantvals, /* prune the tree; the implicit invariant says all the longer markers were dangling from our just-taken node. Dangle them from our *new* node. */ - for(j=length+1;j<33;j++) + for(j=length+1;j<MARKER_SIZE;j++) if((marker[j]>>1) == entry){ entry=marker[j]; marker[j]=marker[j-1]<<1; @@ -217,7 +223,7 @@ static int _make_words(char *l,long n,ogg_uint32_t *r,long quantvals, really exist; there's only one possible 'codeword' or zero bits, but the above tree-gen code doesn't mark that. */ if(b->used_entries != 1){ - for(i=1;i<33;i++) + for(i=1;i<MARKER_SIZE;i++) if(marker[i] & (0xffffffffUL>>(32-i))){ return 1; } |