From: kyslov <kyslov@google.com>
Date: Sat, 5 Jan 2019 01:04:09 +0000 (-0800)
Subject: Fix OOB memory access on fuzzed data
X-Git-Tag: v1.8.0~14^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=46e17f0cb4a80b36755c84b8bf15731d3386c08f;p=libvpx

Fix OOB memory access on fuzzed data

vp8_norm table has 256 elements while index to it can be higher on
fuzzed data. Typecasting it to unsigned char will ensure valid range and
will trigger proper error later. Also declaring "shift" as unsigned char to
avoid UB sanitizer warning

BUG=b/122373286,b/122373822,b/122371119

Change-Id: I3cef1d07f107f061b1504976a405fa0865afe9f5
---

diff --git a/vp8/decoder/dboolhuff.h b/vp8/decoder/dboolhuff.h
index e342d7c5c..f2a18f0d9 100644
--- a/vp8/decoder/dboolhuff.h
+++ b/vp8/decoder/dboolhuff.h
@@ -76,7 +76,7 @@ static int vp8dx_decode_bool(BOOL_DECODER *br, int probability) {
   }
 
   {
-    const int shift = vp8_norm[range];
+    const unsigned char shift = vp8_norm[(unsigned char)range];
     range <<= shift;
     value <<= shift;
     count -= shift;
diff --git a/vpx_dsp/bitreader.h b/vpx_dsp/bitreader.h
index fbc100309..68e1bd694 100644
--- a/vpx_dsp/bitreader.h
+++ b/vpx_dsp/bitreader.h
@@ -94,7 +94,7 @@ static INLINE int vpx_read(vpx_reader *r, int prob) {
   }
 
   {
-    const int shift = vpx_norm[range];
+    const unsigned char shift = vpx_norm[(unsigned char)range];
     range <<= shift;
     value <<= shift;
     count -= shift;