Fix OOB memory access on fuzzed data

vp8_norm table has 256 elements while index to it can be higher on
fuzzed data. Typecasting it to unsigned char will ensure valid range and
will trigger proper error later. Also declaring "shift" as unsigned char to
avoid UB sanitizer warning

BUG=b/122373286,b/122373822,b/122371119

Change-Id: I3cef1d07f107f061b1504976a405fa0865afe9f5

diff --git a/vp8/decoder/dboolhuff.h b/vp8/decoder/dboolhuff.h
index e342d7c5cfec9aa02e01559389c0f9852eb7a7f8..f2a18f0d90dab35c48e88e529ad70a331439f08f 100644 (file)
--- a/vp8/decoder/dboolhuff.h
+++ b/vp8/decoder/dboolhuff.h
@@ -76,7 +76,7 @@ static int vp8dx_decode_bool(BOOL_DECODER *br, int probability) {
   }
 
   {
-    const int shift = vp8_norm[range];
+    const unsigned char shift = vp8_norm[(unsigned char)range];
     range <<= shift;
     value <<= shift;
     count -= shift;

diff --git a/vpx_dsp/bitreader.h b/vpx_dsp/bitreader.h
index fbc1003090a192ca039f1f7b3e5a94564fcf6fdb..68e1bd694d4b5480e30b3b257f4262c155884acc 100644 (file)
--- a/vpx_dsp/bitreader.h
+++ b/vpx_dsp/bitreader.h
@@ -94,7 +94,7 @@ static INLINE int vpx_read(vpx_reader *r, int prob) {
   }
 
   {
-    const int shift = vpx_norm[range];
+    const unsigned char shift = vpx_norm[(unsigned char)range];
     range <<= shift;
     value <<= shift;
     count -= shift;