From 8c50704ebf1777bee76772c4835d9760b3721057 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sat, 4 Oct 2014 03:12:34 +0200
Subject: avcodec/vorbisdec: Fix off by 1 error in ptns_to_read

Fixes read of uninitialized memory
Fixes: asan_heap-uaf_18dac2b_9_asan_heap-uaf_22eb375_208_beta3_test_small.ogg

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/vorbisdec.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

(limited to 'libavcodec/vorbisdec.c')

diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c
index 87d1bbb97a..354ab0e466 100644
--- a/libavcodec/vorbisdec.c
+++ b/libavcodec/vorbisdec.c
@@ -1314,7 +1314,9 @@ static av_always_inline int setup_classifs(vorbis_context *vc,
                                            vorbis_residue *vr,
                                            uint8_t *do_not_decode,
                                            unsigned ch_used,
-                                           int partition_count)
+                                           int partition_count,
+                                           int ptns_to_read
+                                          )
 {
     int p, j, i;
     unsigned c_p_c         = vc->codebooks[vr->classbook].dimensions;
@@ -1336,7 +1338,7 @@ static av_always_inline int setup_classifs(vorbis_context *vc,
                 for (i = partition_count + c_p_c - 1; i >= partition_count; i--) {
                     temp2 = (((uint64_t)temp) * inverse_class) >> 32;
 
-                    if (i < vr->ptns_to_read)
+                    if (i < ptns_to_read)
                         vr->classifs[p + i] = temp - temp2 * vr->classifications;
                     temp = temp2;
                 }
@@ -1344,13 +1346,13 @@ static av_always_inline int setup_classifs(vorbis_context *vc,
                 for (i = partition_count + c_p_c - 1; i >= partition_count; i--) {
                     temp2 = temp / vr->classifications;
 
-                    if (i < vr->ptns_to_read)
+                    if (i < ptns_to_read)
                         vr->classifs[p + i] = temp - temp2 * vr->classifications;
                     temp = temp2;
                 }
             }
         }
-        p += vr->ptns_to_read;
+        p += ptns_to_read;
     }
     return 0;
 }
@@ -1404,7 +1406,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
         for (partition_count = 0; partition_count < ptns_to_read;) {  // SPEC        error
             if (!pass) {
                 int ret;
-                if ((ret = setup_classifs(vc, vr, do_not_decode, ch_used, partition_count)) < 0)
+                if ((ret = setup_classifs(vc, vr, do_not_decode, ch_used, partition_count, ptns_to_read)) < 0)
                     return ret;
             }
             for (i = 0; (i < c_p_c) && (partition_count < ptns_to_read); ++i) {
-- 
cgit v1.2.3