From 7149fce2cac0474a5fbc5b47add1158cd8bb283e Mon Sep 17 00:00:00 2001
From: Chris Evans <cevans@chromium.org>
Date: Wed, 4 Jan 2012 17:24:15 +0100
Subject: ogg: Avoid the possibility to read out-of-bounds of a static global
 array in Vorbis decoding.

BUG=100543
Review URL: http://codereview.chromium.org/8365014
This fixes 25% of CVE-2011-3893

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/vorbis.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c
index b850b59dd0..dce7a55975 100644
--- a/libavcodec/vorbis.c
+++ b/libavcodec/vorbis.c
@@ -156,7 +156,7 @@ void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values)
     }
 }
 
-static inline void render_line_unrolled(intptr_t x, intptr_t y, int x1,
+static inline void render_line_unrolled(intptr_t x, unsigned char y, int x1,
                                         intptr_t sy, int ady, int adx,
                                         float *buf)
 {
@@ -191,7 +191,7 @@ static void render_line(int x0, int y0, int x1, int y1, float *buf)
     } else {
         int base = dy / adx;
         int x    = x0;
-        int y    = y0;
+        unsigned char y = y0;
         int err  = -adx;
         ady -= FFABS(base) * adx;
         while (++x < x1) {
-- 
cgit v1.2.3