Browse code
avcodec/vorbisdec: fix FASTDIV usage for vr_type == 2
This reverts a hunk from f1ca40ee00402102046fc7e59606651930436b0e
Fixes: out of array read
Fixes: 16924/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-5157893162139648
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 722fd4696583cc984700eaec4745922ae177b2da)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer authored on 2019/09/06 19:06:30Showing 1 changed files
| ... | ... |
@@ -1513,7 +1513,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, |
| 1513 | 1513 |
} |
| 1514 | 1514 |
|
| 1515 | 1515 |
} else if (vr_type == 2) {
|
| 1516 |
- unsigned voffs_div = FASTDIV(voffset << 1, ch <<1); |
|
| 1516 |
+ unsigned voffs_div = ch == 1 ? voffset : FASTDIV(voffset, ch); |
|
| 1517 | 1517 |
unsigned voffs_mod = voffset - voffs_div * ch; |
| 1518 | 1518 |
|
| 1519 | 1519 |
for (k = 0; k < step; ++k) {
|